Deeplinkshttps://www.eff.org/rss/updates.xml
EFF's Deeplinks Blog: Noteworthy news from around the internetenSenator Wyden Asks NSA Director Nominee the Right Questionshttps://www.eff.org/deeplinks/2018/03/senator-wyden-asks-nsa-director-nominee-right-questions
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Lt. Gen. Paul Nakasone, the new nominee to direct the NSA, <a href="https://www.c-span.org/video/?442611-1/nsa-nominee-lieutenant-general-paul-nakasone-testifies-confirmation-hearing">faced questions Thursday</a> from the Senate Select Committee on Intelligence about how he would lead the spy agency. One committee member, Senator Ron Wyden (D-OR), asked the nominee if he and his agency could avoid the mistakes of the past, and refuse to participate in any new, proposed spying programs that would skirt the law and violate Americans’ constitutional rights.</p>
<p>“In 2001, then-President Bush directed the NSA to conduct an illegal, warrantless wiretapping program. Neither the public nor the full intelligence committee learned about this program until it was revealed in the press,” Wyden said. Wyden, who was a member of the committee in 2001, said he personally learned about the NSA surveillance program—which bypassed judicial review required from the Foreign Intelligence Surveillance Court—by reading about it in the newspaper. Sen. Wyden continued:</p>
<p>“If there was a form of surveillance that currently requires approval by the [Foreign Intelligence Surveillance Court] and you were asked to avoid the court, based on some kind of secret legal analysis, what would you do?”</p>
<p>Lt. Gen. Nakasone deferred, assuring Sen. Wyden that he would receive a “tremendous amount of legal advice” in his new job, if confirmed.</p>
<p>Sen. Wyden interrupted: “Let me just stop it right there, so I can learn something that didn’t take place before. You would, if asked, tell the entire committee that you had been asked to [review such a program]?”</p>
<p>“Senator,” Lt. Gen. Nakasone responded, “I would say that I would consult with the committee—”</p>
<p>“When you say consult,” Wyden interrupted again, “you would inform us that you had been asked to do this?”</p>
<p>Lt. Gen. Nakasone repeated himself: he would consult with the committee, and keep senators involved in such discussions. Lt. Gen. Nakasone added, though, that “at the end of the day, Senator, I would say that there are two things I would do. I would follow the law, and I would ensure, if confirmed, that the agency follows the law.”</p>
<p>Sen. Wyden took it as a win.</p>
<p>“First of all, that’s encouraging,” Wyden said, “because that was not the case back in 2001.”</p>
<p>He continued: </p>
<p>“In 2001, the President said we’re going to operate a program that clearly was illegal. Illegal! You’ve told us now, you’re not going to do anything illegal. That’s a plus. And you told us that you would consult with us if you were ever asked to do something like that. So, I appreciate your answer.”</p>
<p>Sen. Wyden also asked Lt. Gen. Nakasone about encryption. Sen. Wyden asked Lt. Gen. Nakasone if he agreed with encryption experts’ opinion that, if tech companies were required to “permit law enforcement access to Americans’ private communications and data,” then such access could be exploited by “sophisticated, foreign government hackers,” too.</p>
<p>Again, Lt. Gen. Nakasone avoided a direct yes or no answer, and again, Sen. Wyden interrupted.</p>
<p>“My time is up, general. Just a yes-or-no answer to the question, with respect to what experts are saying,” Wyden said. “Experts are saying that the tech companies can’t modify their encryption to permit law enforcement access to Americans’ private communications without the bad guys getting in, too. Do you disagree with the experts, that’s just a yes or no.”</p>
<p>“I would offer Senator,” Lt. Gen. Nakasone said, “that it’s a conditional yes.”</p>
<p>Wyden, a staunch encryption advocate in the Senate, interpreted Lt. Gen. Nakasone’s answer positively. “That’s encouraging as well,” Wyden said. “I look forward to working with you in the days ahead.”</p>
<p>Senate Intelligence Committee Chairman Richard Burr (R-NC), at the close of the hearing, said he would like to swiftly move Lt. Gen. Nakasone’s nomination further. If other Senators have the opportunity to question Lt. Gen. Nakasone about his potential leadership of the NSA, we hope they ask pointed, necessary questions about the agency’s still-ongoing surveillance program Section 702, and how the nominee plans to reconcile the agency’s widespread, invasive spying program with Americans’ constitutional right to privacy. </p>
</div></div></div>Fri, 16 Mar 2018 21:19:26 +000098318 at https://www.eff.orgCommentaryPrivacyNSA SpyingDavid RuizHow FOSTA Could Give Hollywood the Filters It's Long Wantedhttps://www.eff.org/deeplinks/2018/03/how-fosta-will-get-hollywood-filters-theyve-long-wanted
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Some of the biggest names in the U.S. entertainment industry have expressed a recent interest in a topic that’s seemingly far away from their core business: shutting down online prostitution. Disney, for instance, recently <a href="https://www.portman.senate.gov/public/index.cfm/files/serve?File_id=A282BB11-A891-4B81-A7A1-6F37263E2BCB">wrote to key U.S. senators</a> expressing their support for <a href="https://www.congress.gov/bill/115th-congress/senate-bill/1693/actions">SESTA</a>, a bill that was originally aimed at sex traffickers. For its part, <a href="http://variety.com/2017/politics/news/sex-trafficking-act-21st-century-fox-1202557318/">20th Century Fox told the same senators</a> that anyone doing business online “has a civic responsibility to help stem illicit and illegal activity.”</p>
<p>Late last year, the bill the entertainment companies supported morphed from SESTA into <a href="https://www.congress.gov/bill/115th-congress/house-bill/1865/all-actions">FOSTA</a>, and then into a kind of <a href="https://www.eff.org/deeplinks/2018/02/fosta-would-be-disaster-online-communities">Frankenstein bill that combines the worst aspects of both</a>. The bill still does nothing to catch or punish traffickers, or provide help to victims of sex trafficking.</p>
<p>As <a href="https://www.eff.org/files/2017/09/18/sestahearing-freedomnetwork.pdf">noted by Freedom Network USA</a>, the largest coalition of organizations working to fight human trafficking, law enforcement already has the ability to go after sex traffickers and anyone who helps them. Responsible web operators can help in that task. The civil liabilities imposed by FOSTA could actually <em>harm</em> the hunt for perpetrators.</p>
<p>Freedom Network suggests the better approach would be to provide services and support to victims, but that’s not what FOSTA does. What it does do is offer a powerful incentive for online platforms to <a href="https://www.eff.org/deeplinks/2017/12/amended-version-fosta-would-still-silence-legitimate-speech-online">police the speech of users and advertisers</a>. A perceived violation of a state’s anti-trafficking laws could lead to authorities seeking civil or criminal penalties, or a barrage of lawsuits.</p>
<p>So, why are movie studios involved at all in this debate? Hollywood is lobbying for laws that will force online intermediaries to shut down user speech. That’s what they’ve been seeking since practically the beginning of the Internet.</p>
<h3>A Brief History of Safe Harbors</h3>
<p>The Internet as we know it is underpinned by two critical laws that have allowed user speech to blossom: Section 230 of the Communications Decency Act, and 17 U.S. Code § 512, which outlines the “safe harbor” provisions of the Digital Millennium Copyright Act, or DMCA.</p>
<p>Section 230 prevents online platforms from being held liable, in many cases, for their users’ speech. Platforms are free to moderate speech in a way that works for them—removing spam or trolling comments, for instance—without being compelled to read each comment, or view each video, a task that’s simply impossible on sites with thousands or millions of users.</p>
<p>Similarly, the DMCA safe harbor shields the same service providers from copyright damages based on user infringement, as long as they follow certain guidelines. The two laws work together to send a clear message: in the online world, users are responsible for their own actions and speech, and online platforms can mediate that speech—or not—as fits the needs of their community.</p>
<p>For two decades now, Section 230 and the DMCA have complemented each other, allowing for an explosion of online creativity. Without the DMCA safe harbor, small businesses could face bankruptcy over the copyright infringement of a few users. And without Section 230, the same businesses could be sued for a vast array of user misbehavior that they didn’t even know about. Lawsuits for libel or invasion of privacy, for instance, could be aimed at the platform, rather than the person who actually <em>committed</em> those acts.</p>
<p>Without these key legal protections, many sites would make the safe choice and simply choose to not host free and unfettered discussions. Others might begin to police user content overzealously, removing or blocking lots of lawful speech for fear of letting something illegal slip through. The safe harbors keep the focus for any online wrongdoing on the actual wrongdoer, whether it’s a civil violation like copyright infringement, or criminal acts.</p>
<p>It’s hardly a free-for-all for the companies protected by the safe harbors, which have significant limits. Online platforms that edit or direct user speech that violates the law, for instance, can’t avail themselves of Section 230 protections. It’s fine to run online advertisements, but sites that help users post ads for illegal or discriminatory content can be, and have been, held accountable.</p>
<p>Section 230 doesn’t offer any shield against federal criminal law, and one doesn’t have to look far to find website operators that have been punished under those laws. The operator of the online marketplace Silk Road, for instance, was convicted of federal drug trafficking offences.</p>
<p>Nor does protection accrue to websites that make contributions, even small ones, to illegal content. An online housing website, Roommates.com, lost Section 230 protection simply because it required users to answer questions that could be used in housing discrimination. While EFF has long expressed concerns about the free speech implications of the 2008 <em>Fair Housing Council v.</em> <em>Roommates.com</em> decision, it remains the law and demonstrates that <a href="https://www.eff.org/deeplinks/2017/09/stop-sesta-section-230-not-broken">Section 230 is far from a free pass</a>.</p>
<p>Likewise, the DMCA safe harbors only apply if an online platform complies with numerous requirements, including implementing a repeat-infringer policy and responding to notices of infringement by taking down content.</p>
<h3>Towards a Filtered Net?</h3>
<p>For legacy software and entertainment companies, breaking down the safe harbors is another road to a controlled, filtered Internet—one that looks a lot like cable television. Without safe harbors, the Internet will be a poorer place—less free for new ideas and new business models. That suits some of the gatekeepers of the pre-Internet era just fine.</p>
<p>The not-so-secret goal of SESTA and FOSTA is made even more clear in a <a href="https://www.portman.senate.gov/public/index.cfm?p=press-releases&amp;id=197B9C12-C83A-4106-A0C4-DFD0DAB7594B">letter from Oracle</a>. “Any start-up has access to low cost and virtually unlimited computing power and to advanced analytics, artificial intelligence and filtering software,” wrote Oracle Senior VP Kenneth Glueck. In his view, Internet companies shouldn’t “blindly run platforms with no control of the content.”</p>
<p>That comment helps explain why we’re seeing support for FOSTA and SESTA from odd corners of the economy: some companies will prosper if online speech is subject to tight control. An Internet that’s <a href="https://www.eff.org/deeplinks/2017/06/copyright-law-shouldnt-pick-winners">policed by “copyright bots”</a> is what major film studios and record have advocated for more than a decade now. Algorithms and artificial intelligence have made major advances in recent years, and some content companies have used those advances as part of a push for mandatory, proactive filters. That’s what they mean by phrases like <a href="https://www.eff.org/deeplinks/2016/01/notice-and-stay-down-really-filter-everything">“notice-and-stay-down,”</a> and that’s what messages like the Oracle letter are really all about.</p>
<p>Software filters can provide a useful first take in moderating content, but they need proper supervision from humans. Bots still can’t determine when use of copyrighted material is fair use, for instance, which is why a best practice is to <a href="https://www.eff.org/pages/fair-use-principles-user-generated-video-content">always let human creators dispute the determination</a> of an automated filter.</p>
<p>Similarly, it’s unlikely that an automated filter will be able to determine the nuanced difference between actual online sex-trafficking and a discussion <em>about</em> sex-trafficking. Knocking down safe harbors will lead to an over-reliance on flawed filters, which can easily <a href="https://www.eff.org/deeplinks/2017/09/stop-sesta-whose-voices-will-sesta-silence">silence the wrong people</a>.</p>
<p> Those filters would create a huge barrier to entry for startups, non-profits, and hobbyists. And at the end of the day, they’d hurt free speech. Saying that new technology can produce a successful filter is a fallacy—bots simply can’t do fair use.</p>
<p>So when Hollywood and entrenched tech interests suddenly take a new interest in the problem of sex trafficking, it’s fair to wonder why. After all, an Internet subject to corporate filters will make it <a href="https://www.eff.org/deeplinks/2017/12/internet-censorship-bills-wouldnt-help-catch-sex-traffickers">harder, not easier, to hunt down and prosecute sex traffickers</a>.</p>
<p>Punching a hole in safe harbors to reshape the Internet has been the project, in many different forms, for more than a decade now. The FOSTA bill, if it passes the Senate, will be the first major success in dismantling a safe harbor. But don’t count on it to be the last.</p>
<p class="take-action"><a href="https://stopsesta.org/">Take Action</a></p>
<p class="take-action take-explainer">Stop SESTA and FOSTA</p>
</div></div></div>Fri, 16 Mar 2018 20:49:10 +000098317 at https://www.eff.orgCommentarySection 230 of the Communications Decency ActJoe MullinCatalog of Missing Devices: Panfluenthttps://www.eff.org/deeplinks/2018/03/catalog-missing-devices-panfluent
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><em>Visit <a href="/missing-devices">The Catalog of Missing Devices</a>, a collection of tools, services, and products that could have been, but never were, because of DRM.</em></p>
<p><img src="/files/2018/03/15/5-machine-translation.pdf_.png" alt="" width="868" height="1076" /></p>
<p>For the most part, rightsholders don't object to user-created subtitling, which is key to making videos available to non-native speakers of the media's original language, and accessible to people with hearing disabilities. Fansubbing and similar practices predate internet videos by decades, but creating a crowdsourced subtitling tool becomes a potential felony once DRM gets in the picture, if the DRM has to be bypassed to get the subtitles in.</p>
</div></div></div>Fri, 16 Mar 2018 00:37:57 +000098311 at https://www.eff.orgCommentaryDMCADMCA RulemakingDRMCory DoctorowUnanimous Support in Berkeley for Community Control of Spy Tech https://www.eff.org/deeplinks/2018/03/unanimous-support-berkeley-community-control-spy-tech
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Berkeley’s City Council voted unanimously this week to pass the <a href="https://www.eff.org/document/proposed-ordinance-surveillance-technology-use-and-community-safety">Surveillance Technology and Community Safety Ordinance</a> into law. (This is an earlier draft of the ordinance. We’ll update this link when the approved version is published.) Berkeley joins Santa Clara County (<a href="https://www.eff.org/deeplinks/2016/06/california-county-breaks-new-ground-surveillance-transparency">which adopted a similar law in June of 2016</a>) in showing the way for the rest of California. In addition to considerable and unopposed spoken support during the public comment portion of the hearing, Mayor Jesse Arreguín reported that he and the City Council had received almost 200 letters and emails asking for the law to be adopted.</p>
<p><a href="https://www.eff.org/document/community-letter-support-surveillance-equipment-use-and-community-safety-ordinance">EFF has long supported this ordinance</a>. During this week’s public comment, Jason Kelley spoke not only as EFF’s digital strategist but as a local resident and community member. He shared that “my friends and I—many of whom live here—are concerned that surveillance tech might be purchased and used without proper oversight.”</p>
<p>The ordinance, part of a nationwide effort to require community control of police surveillance, will address the concerns Kelley and so many in the community share. The new law will require that before acquiring surveillance technology, city departments submit use policies and acquisition reports detailing what will be acquired and how it works. These reports must also outline potential impacts on civil liberties and civil rights as well as steps to ensure adequate security measures safeguarding the data collected or generated. </p>
<p>These requirements are particularly important in light of <a href="https://www.theverge.com/2018/1/26/16932350/ice-immigration-customs-license-plate-recognition-contract-vigilant-solutions">recent reports</a> that Automated License Plate Reader (ALPR) data collected by police is being shared with ICE. In response to these reports, the City of Alameda recently <a href="http://www.publicceo.com/2018/02/alameda-delays-decision-for-more-license-plate-readers-after-disclosure-of-vendors-ties-to-ice/">voted against acquiring new ALPRs</a>. During this week’s Berkeley city council meeting, the police chief stated that the Berkeley police department was not sharing any information acquired through their own ALPRs with third parties. The new ordinance will assure that equipment acquired in the future will be approved only after such policies have been made public and reviewed.</p>
<p>While the meeting lasted into the late hours of the night, the path to this important legislation has been ongoing for over a year. EFF worked alongside over dozens of local partners, including Oakland Privacy (a member of the Electronic Frontier Alliance), the ACLU, the Council of American Islamic Relations, the Center for Media Justice, and Restore the Fourth. </p>
<p>With Santa Clara County and Berkeley now working diligently to protect the civil liberties of their residents, requiring public comment and city council approval on whether or not to acquire surveillance equipment, hope is high that similar ordinances will soon be passed in the cities of Davis and Oakland and by the Bay Area Rapid Transit system. </p>
<p>Technology has the power to improve our lives. It can make our government more accountable and efficient, and expose us to new information. But it also can intrude on our privacy and chill our free speech. Now more than ever, public safety requires trust between law enforcement and the community served. That trust is by necessity built in transparency and clear processes that balance public safety with the maintenance of the most essential of civil liberties. The Community Control of Police Surveillance ordinance model assures all residents are afforded a voice in that process. Groups like <a href="https://oaklandprivacy.org/">Oakland Privacy</a> in the Bay Area, and <a href="https://www.facebook.com/privacywatchstl/">Privacy Watch</a> in St. Louis, are working hard to assure similar ordinances are adopted in their communities. Visit the <a href="https://www.eff.org/electronic-frontier-alliance">Electronic Frontier Alliance</a> homepage to find or start an allied organization in your area.</p>
<p> </p>
</div></div></div>Fri, 16 Mar 2018 00:18:16 +000098313 at https://www.eff.orgNews UpdateElectronic Frontier AllianceSurveillance TechnologiesPrivacyStreet-Level SurveillanceTransparencyNathan SheardBlind Users Celebrate as Marrakesh Treaty Implementation Bill Dropshttps://www.eff.org/deeplinks/2018/03/blind-users-celebrate-marrakesh-treaty-implementation-bill-drops
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Today the Marrakesh Treaty Implementation Bill was introduced into Congress by Senators Chuck Grassley (R-IA), Bob Corker (R-TN), Dianne Feinstein (D-CA), Bob Menendez (D-NJ), Kamala Harris (D-CA), Orrin Hatch (R-UT), and Patrick Leahy (D-VT). The bill implements the Marrakesh Treaty to Facilitate Access to Published Works for Persons Who Are Blind, Visually Impaired or Otherwise Print Disabled, a landmark treaty that was adopted by the World Intellectual Property Organisation (<a href="https://www.eff.org/issues/wipo">WIPO</a>) <a href="https://www.eff.org/deeplinks/2013/06/historic-milestone-rights-readers-un-negotiators-finalize-treaty-blind">in June 2013</a>, and has since been ratified by 37 other countries. The treaty is notable in that it is the first WIPO treaty passed primarily for a disadvantaged class of users, rather than for the benefit of copyright holders.</p>
<p>When passed, the bill will allow those who are blind, visually impaired, or otherwise reading disabled (for example, being unable to pick up and turn the pages of a book) to make free use of written works in accessible formats such as braille, large print, or audiobook. Although similar provisions were already part of U.S. law, the amendments made by this bill slightly broadens the class of beneficiaries who were eligible for access to such works.</p>
<p>Even more significantly, the implementation bill will ensure that it is legal for accessible works to be sent between the U.S. and other countries that are signatories to the Marrakesh Treaty. There are many blind, visually impaired, and print disabled users in countries that do not have the capacity to produce their own accessible works, reflected in the fact that such users in poor countries have access to only 1% of published books in accessible formats, compared with 7% in rich countries. Allowing eligible users throughout the world access to works that have been created in any other Marrakesh signatory countries is a compassionate and sensible solution to this "book famine."</p>
<p>The implementation bill tracks the Marrakesh Treaty closely, and it is not, as we had once feared, tied to the implementation of the <a href="https://www.eff.org/deeplinks/2015/03/will-us-senate-hold-blind-people-ransom-big-media">much more problematic</a> Beijing Treaty on Audiovisual Performances, which would require more significant changes to U.S. law. The National Federation for the Blind, libraries, publishers, the Copyright Office and the U.S. Patent and Trademark Office (USPTO) all support the Marrakesh Treaty Implementation Bill, and so does EFF. We wish the bill's sponsors success in seeing its speedy passage through Congress.</p>
</div></div></div>Thu, 15 Mar 2018 17:45:11 +000098293 at https://www.eff.orgCommentaryCreativity & InnovationWIPOJeremy MalcolmA Smattering of Stars in Argentina's First "Who Has Your Back?" ISP Reporthttps://www.eff.org/deeplinks/2018/03/who-has-your-back-argentina
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>It’s Argentina's turn to take a closer look at the practices of their local Internet Service Providers, and how they treat their customers’ personal data when the government comes knocking.</span></p>
<p><span>Argentina's ¿Quien Defiende Tus Datos? (</span><i><span>Who Defends Your Data?</span></i><span>) is a project of Asociación por los Derechos Civiles and the Electronic Frontier Foundation, and is part of a region-wide initiative by leading Iberoamerican digital rights groups to turn a spotlight on how the policies of Internet Service Providers either advance or hinder the privacy rights of users.</span></p>
<p><span>The report is based on EFF's annual</span><a href="https://www.eff.org/who-has-your-back-2016"><span> </span><i><span>Who Has Your Back</span></i></a><i><span>?</span></i><span><span> </span>report, but adapted to local laws and realities. Last year Brazil’s<span> </span></span><a href="http://www.internetlab.org.br/en/"><span>Internet Lab</span></a><span>, Colombia’s<span> </span></span><a href="http://dondeestanmisdatos.info/2016/"><span>Karisma Foundation</span></a><span>, Paraguay's</span><a href="https://qdtd.tedic.org/"><span><span> </span>TEDIC</span></a><span>, and Chile’s<span> </span></span><a href="https://www.eff.org/deeplinks/2017/04/who-has-your-back-chile-first-annual-report-seeks-find-out-which-chilean-isps"><span>Derechos Digitales</span></a><span><span> </span>published their own 2017 reports, and <a href="https://eticasfoundation.org/qdtd">ETICAS Foundation</a> released a similar study earlier this year, part of a series across Latin America and Spain.</span></p>
<p><span>The report set out to examine which Argentine ISPs best defend their customers. Which are transparent about their policies regarding requests for data? Do any challenge disproportionate data demands for their users’ data? Which require a judicial order before handing over personal data? Do any of the companies notify their users when complying with judicial requests? ADC examined publicly posted information, including the privacy policies and codes of practice, from six of the biggest Argentine telecommunications access providers: Cablevisión (Fibertel), Telefónica (Speedy), Telecom (Arnet), Telecentro, IPLAN, and DirecTV (AT&amp;T). Between them, these providers cover 90% of the fixed and broadband market.</span></p>
<p><span>Each company was given the opportunity to answer a questionnaire, to take part in a private interview and to send any additional information if they felt appropriate, all of which was incorporated into the final report. ADC’s rankings for Argentine ISPs are below; the full report, which includes details about each company, is available at:<span> </span></span><a href="https://adcdigital.org.ar/qdtd"><span>https://adcdigital.org.ar/qdtd</span></a></p>
<h3><b>Evaluation Criteria for ¿Quién Defiende tus Datos?</b></h3>
<ol><li><b>Privacy Policy</b><span>: whether its privacy policy is easy to understand, whether it tells users which data is being collected, how long these companies store their data, if they notify users if they change their privacy policies, if they publish a note regarding the right of access to personal data, and if they foresee how the right of access to a person's’ data may be exercised.</span></li>
<li><b>Transparency:</b><span><span> </span>whether they publish transparency reports that are accessible to the public, and how many requests have been received, compiled and rejected, including details about the type of requests, the government agencies that made the requests and the reasons provided by the authority.</span></li>
<li><b>Notification:</b><span><span> </span>whether they provide any kind of notification to customers of government data demands, and bonus points if they do the notification apriori.</span></li>
<li><b>Judicial Court:</b><span><span> </span>Whether they require the government to obtain a court order before handing over data, and if they judicially resist data requests that are excessive and do not comply with legal requirements.</span></li>
<li><b>Law Enforcement Guidelines</b><span>: whether they publish</span><span><span> </span>their guidelines for law enforcement requests.</span></li>
</ol><p class="center-image"><img src="/files/2018/03/14/qdtd-cuadro-comparativo-general-2017.png" width="750" height="690" alt="" /></p>
<p><span>Companies in Argentina are off to a good start but still have a way to go to fully protect their customers’ personal data and be transparent about who has access to it. ADC and EFF expect to release this report annually to incentivize companies to improve transparency and protect user data. This way, all Argentines will have access to information about how their personal data is used and how it is controlled by ISPs so they can make smarter consumer decisions. We hope next year’s report will shine with more stars.</span></p>
</div></div></div>Wed, 14 Mar 2018 12:53:27 +000098297 at https://www.eff.orgAnnouncementPrivacyKatitza RodriguezAppellate Court Issues Encouraging Border Search Opinionhttps://www.eff.org/deeplinks/2018/03/appellate-court-issues-encouraging-border-search-opinion
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>The U.S. Court of Appeals for the Fifth Circuit in <a href="https://www.eff.org/press/releases/eff-court-border-agents-need-warrants-search-contents-digital-devices"><em>U.S. v. Molina-Isidoro</em></a> recently issued an <a href="http://www.ca5.uscourts.gov/opinions/pub/17/17-50070-CR0.pdf">encouraging opinion</a> related to the digital privacy of travelers crossing the U.S. border.</p>
<p>EFF filed an <a href="https://www.eff.org/document/us-v-molina-isidoro-eff-brief">amicus brief</a> last year in the case, arguing that the Supreme Court’s decision in <a href="http://caselaw.findlaw.com/us-supreme-court/13-132.html"><em>Riley v. California</em></a> (2014) supports the conclusion that border agents need a probable cause warrant before searching electronic devices because of the unprecedented and significant privacy interests travelers have in their digital data. In <em>Riley</em>, the Supreme Court followed similar reasoning and held that police must obtain a warrant to search the cell phone of an arrestee.</p>
<p>In <em>U.S. v. Molina-Isidoro</em>, although the Fifth Circuit declined to decide whether the Fourth Amendment requires border agents to get a warrant before searching travelers’ electronic devices, one judge invoked prior case law that could help us establish this privacy protection.</p>
<p>Ms. Molina-Isidoro attempted to enter the country at the port of entry at El Paso, TX. An x-ray of her suitcase led border agents to find methamphetamine. They then manually searched her cell phone and looked at her Uber and WhatsApp applications. The government sought to use her correspondence in WhatsApp in her prosecution, so she moved to suppress this evidence, arguing that it was obtained in violation of the Constitution because the border agents didn’t have a warrant.</p>
<p>Unfortunately for Molina-Isidoro, the Fifth Circuit ruled that the WhatsApp messages may be used in her prosecution. But the court avoided the main constitutional question: whether the Fourth Amendment requires a warrant to search an electronic device at the border. Instead, the court held that the border agents acted in “good faith”—an independent basis to deny Molina-Isidoro’s motion to suppress, even if the agents had violated the Fourth Amendment.</p>
<p>The Fifth Circuit presented two bases for its finding of “good faith”—factual and legal. The factual basis of the agents’ “good faith” was that there was probable cause to support a search of Molina-Isidoro’s phone. The finding of drugs in her luggage, according to the Fifth Circuit, “created a fair probability that the phone contained communications with the brother she supposedly visited (or whoever was the actual source of the drugs) and other information about her travel to refute the nonsensical story she had provided.” The legal basis of the agents’ “good faith” was pre-<em>Riley</em> case law that generally permits warrantless and suspicionless “routine” searches of items travelers carry across the border. While the court did not rule on whether <em>Riley</em> requires a warrant for border device searches, the court did emphasize that a leading Fourth Amendment legal treatise recognizes that “<em>Riley</em> may prompt a reassessment” of the question.</p>
<p>Additionally, Fifth Circuit Judge Gregg Costa issued an instructive concurring opinion. While he agreed with the decision to let the WhatsApp evidence stand, based on the border agents’ “good faith,” he made two key points we have made in our own briefs.</p>
<p>First, Judge Costa considered whether the traditional primary purpose of the Fourth Amendment’s border search exception—customs enforcement—justifies conducting warrantless, suspicionless searches of <em>electronic devices</em>. As we have argued, the link between these ends and means is very weak. Judge Costa agreed: “Detection of … contraband is the strongest historic rationale for the border search exception.” Yet, “Most contraband, the drugs in this case being an example, cannot be stored within the data of a cell phone.” He concluded, “this detection-of-contraband justification would not seem to apply to an electronic search of a cellphone or computer.” We made the same argument in our <a href="https://www.eff.org/document/us-v-molina-isidoro-eff-brief">amicus brief</a>: “Just as the <em>Riley</em> Court stated that ‘data on the phone can endanger no one,’ physical items cannot be hidden in digital data.”</p>
<p>Second, Judge Costa considered whether an “evidence-gathering justification” could support warrantless, suspicionless border searches of electronic devices. He questioned this, citing an 1886 Supreme Court customs case, <em>Boyd v. U.S.</em>, which we also cited in our amicus brief. The <em>Boyd</em> Court held:</p>
<blockquote><p>The search for and seizure of stolen or forfeited goods, or goods liable to duties and concealed to avoid the payment thereof, are totally different things from a search for and seizure of a man's private books and papers for the purpose of obtaining information therein contained, or of using them as evidence against him.</p>
</blockquote>
<p>In other words, while border agents have an interest in preventing the importation of physical contraband, they have at most a much lesser interest in searching papers to find evidence of crime. Judge Costa seemed persuaded by this holding in <em>Boyd</em>, especially given the unprecedented privacy interests modern travelers have in their digital data, stating:</p>
<blockquote><p>[<em>Boyd</em>’s] emphatic distinction between the sovereign’s historic interest in seizing imported contraband and its lesser interest in seizing records revealing unlawful importation has potential ramifications for the application of the border-search authority to electronic data that cannot conceal contraband and that, to a much greater degree than the papers in <em>Boyd</em>, contains information that is “like an extension of the individual’s mind”…</p>
</blockquote>
<p>While we would have liked the Fifth Circuit to affirmatively hold that the Fourth Amendment bars a border search of a cell phone without a probable cause warrant, we’re optimistic that we can win such a ruling in our civil case against the U.S. Department of Homeland Security, <a href="https://www.eff.org/cases/alasaad-v-duke"><em>Alasaad v. Nielsen</em></a>, challenging warrantless border searches of electronic devices.</p>
</div></div></div>Wed, 14 Mar 2018 02:01:57 +000098300 at https://www.eff.orgLegal AnalysisBorder SearchesSophia CopeA New Backdoor Around the Fourth Amendment: The CLOUD Acthttps://www.eff.org/deeplinks/2018/03/new-backdoor-around-fourth-amendment-cloud-act
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>There’s a new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy. It is built into a dangerous bill called the CLOUD Act, which would allow police at home and abroad to seize cross-border data without following the privacy rules where the data is stored.</p>
<p>This backdoor is an insidious method for accessing our emails, our chat logs, our online videos and photos, and our private moments shared online between one another. This backdoor would deny us meaningful judicial review and the privacy protections embedded in our Constitution.</p>
<p>This new backdoor for cross-border data mirrors <a href="https://www.eff.org/pages/backdoor-search">another backdoor</a> under Section 702 of the FISA Amendments Act, an invasive NSA surveillance authority for foreign intelligence gathering. That law, recently <a href="https://www.eff.org/deeplinks/2018/01/house-fails-protect-americans-unconstitutional-nsa-surveillance">reauthorized</a> and <a href="https://www.eff.org/deeplinks/2018/02/how-congresss-extension-section-702-may-expand-nsas-warrantless-surveillance">expanded</a> by Congress for another six years, gives U.S. intelligence agencies, including the NSA, FBI, and CIA, the ability to search, read, and share our private electronic messages without first obtaining a warrant.</p>
<p>The new backdoor in the CLOUD Act operates much in the same way. U.S. police could obtain Americans’ data, and use it against them, without complying with the Fourth Amendment.</p>
<p>For this reason, <a href="https://www.eff.org/deeplinks/2018/02/cloud-act-dangerous-expansion-police-snooping-cross-border-data">and many more</a>, EFF strongly opposes the CLOUD Act.</p>
<p>The CLOUD Act (<a href="https://www.congress.gov/bill/115th-congress/senate-bill/2383/text">S. 2383</a> and <a href="https://www.congress.gov/bill/115th-congress/house-bill/4943/text">H.R. 4943</a>) has two major components. First, it empowers U.S. law enforcement to grab data stored anywhere in the world, without following foreign data privacy rules. Second, it empowers the president to unilaterally enter executive agreements with any nation on earth, even known human rights abusers. Under such executive agreements, foreign law enforcement officials could grab data stored in the United States, directly from U.S. companies, without following U.S. privacy rules like the Fourth Amendment, so long as the foreign police are not targeting a U.S. person or a person in the United States.</p>
<p>That latter component is where the CLOUD Act’s backdoor lives.</p>
<p>When foreign police use their power under CLOUD Act executive agreements to collect a foreign target’s data from a U.S. company, they might also collect data belonging to a non-target U.S. person who happens to be communicating with the foreign target. Within the numerous, combined foreign investigations allowed under the CLOUD Act, it is highly likely that related seizures will include American communications, including email, online chat, video calls, and internet voice calls.</p>
<p>Under the CLOUD Act’s rules for these data demands from foreign police to U.S. service providers, this collection of Americans’ data can happen without any prior, individualized review by a foreign or American judge. Also, it can happen without the foreign police needing to prove the high level of suspicion required by the U.S. Fourth Amendment: probable cause.</p>
<p>Once the foreign police have collected Americans’ data, they often will be able to hand it over to U.S. law enforcement, which can use it to investigate Americans, and ultimately to bring criminal charges against them in the United States.</p>
<p>According to the bill, foreign police can share the content of a U.S person’s communications with U.S. authorities so long as it “relates to significant harm, or the threat thereof, to the United States or United States persons.” This nebulous standard is vague and overbroad. Also, the bill’s hypotheticals indicate far-ranging data sharing by foreign police with U.S. authorities. From national security to violent crime, from organized crime to financial fraud, the CLOUD Act permits it all to be shared, and likely far more.</p>
<p>Moreover, the CLOUD Act allows the foreign police who collect Americans’ communications to freely use that content against Americans, and to freely share it with additional nations.</p>
<p>To review: The CLOUD Act allows the president to enter an executive agreement with a foreign nation known for human rights abuses. Using its CLOUD Act powers, police from that nation inevitably will collect Americans’ communications. They can share the content of those communications with the U.S. government under the flawed “significant harm” test. The U.S. government can use that content against these Americans. A judge need not approve the data collection before it is carried out. At no point need probable cause be shown. At no point need a search warrant be obtained.</p>
<p>This is wrong. Much like the infamous backdoor search loophole connected to broad, unconstitutional NSA surveillance under Section 702, the backdoor proposed in the CLOUD Act violates our Fourth Amendment right to privacy by granting unconstitutional access to our private lives online.</p>
<p>Also, when foreign police using their CLOUD Act powers inevitably capture metadata about Americans, they can freely share it with the U.S. government, without even showing “significant harm.” Communications “content” is the words in an email or online chat, the recordings of an internet voice call, or the moving images and coordinating audio of a video call online. Communications “metadata” is the pieces of information that relate to a message, including when it was sent, who sent it, who received it, its duration, and where the sender was located when sending it. Metadata is enormously powerful information and should be treated with <a href="https://necessaryandproportionate.org/principles">the same protection as content</a>.</p>
<p> To be clear: the CLOUD Act fails to provide <em>any</em> limits on foreign police sharing Americans’ metadata with U.S. police.</p>
<p>The CLOUD Act would be a dangerous overreach into our data. It seeks to streamline cross-border police investigations, but it tears away critical privacy protections to attain that goal. This is not a fair trade. It is a new backdoor search loophole around the Fourth Amendment.</p>
<p>Tell your representative today to reject the CLOUD Act.</p>
<p class="take-action"><a href="https://act.eff.org/action/stop-the-cloud-act">Take Action</a></p>
<p class="take-explainer">Stop the CLOUD Act</p>
</div></div></div>Tue, 13 Mar 2018 21:51:43 +000098294 at https://www.eff.orgLegislative AnalysisPrivacyInternationalDavid RuizDear Leader McConnell: Don't pass FOSTAhttps://www.eff.org/deeplinks/2018/03/dear-leader-mcconnell-dont-pass-fosta
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>We have heard that the Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA, <a href="https://www.congress.gov/bill/115th-congress/house-bill/1865/text?q=%7B%22search%22%3A%5B%22hr+1865%22%5D%7D&amp;r=1">H.R. 1865</a>) may be on the U.S. Senate floor this week for a final vote. We are concerned that the U.S. Senate appears to be rushing to pass a seriously flawed bill without considering the impact it will have on Internet users and free speech.</p>
<p>We wrote Majority Leader Mitch McConnell and Democratic Leader Charles E. Schumer to share our concerns:</p>
<blockquote><p>Websites and apps we all use every day - from WhatsApp and Instagram to Yelp and Wikipedia, even blogs and news websites with comment sections - rely on Section 230 (47 U.S.C § 230). Under Section 230, users are generally liable for the content they post, not the platforms. This bill would change that by expanding a platform's liability beyond its own actions - if this bill passes, online platforms would be responsible for their users' speech and behavior in addition to their own.</p>
<p>Current law, including Section 230, does not prevent federal prosecutors from going after online platforms that knowingly advertise sex trafficking. Additionally, courts have allowed civil claims against online platforms when a platform was shown to have a direct hand in creating the illegal content. New authorities are simply not needed to bring bad platforms or the pimps and "johns" who directly harmed victims to justice.</p>
<p>Section 230 can be credited with creating today's Internet. Congress made the deliberate choice to protect online free speech and innovation, while providing discrete tools to go after culpable platforms. Section 230 provided the legal buffer entrepreneurs needed to experiment with new ways to connect people online and is just as critical for today's startups as it was for today's popular platforms when they launched.</p>
<p>FOSTA would destroy the careful policy balance struck in Section 230. By opening platforms to increased criminal and civil liability at both the federal and state levels for user-generated content, the bill would incentivize those platforms to over-censor their users. Since it would be difficult if not impossible for platforms, both large and small, to review every post individually for sex trafficking content (or to definitively know whether a piece of online content reflects a sex trafficking situation in the offline world), platforms would have little choice but to adopt overly restrictive content moderation practices-silencing legitimate voices in the process. Trafficking victims themselves would likely be the first to be censored under FOSTA.</p>
<p>In addition to opening platforms to increased liability under civil law and state criminal law, FOSTA would also create new federal crimes designed to target online platforms. The expanded federal sex trafficking crimes would not require a platform owner to have knowledge that people are using the platform for sex trafficking-but only have "reckless disregard" of this fact. The Department of Justice already has a powerful legal tool to prosecute culpable online platforms: the SAVE Act of 2015 made it a crime under 18 U.S.C. § 1591 to advertise sexual services with knowledge that trafficking is taking place.</p>
</blockquote>
<p>You can read the rest of the letter <a href="https://www.eff.org/document/eff-letter-leaders-mcconnell-and-schumer-regarding-fosta">here</a>.</p>
</div></div></div>Tue, 13 Mar 2018 00:49:58 +000098289 at https://www.eff.orgLegislative AnalysisSection 230 of the Communications Decency ActIndia McKinneyWe Still Need More HTTPS: Government Middleboxes Caught Injecting Spyware, Ads, and Cryptocurrency Minershttps://www.eff.org/deeplinks/2018/03/we-still-need-more-https-government-middleboxes-caught-injecting-spyware-ads-and
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>Last week, researchers at <a href="https://citizenlab.ca/">Citizen Lab</a> discovered that Sandvine's PacketLogic devices were being used to </span><a href="https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/"><span>hijack users' unencrypted internet connections</span></a><span>, making yet another case for </span><a href="https://www.eff.org/encrypt-the-web"><span>encrypting the web</span></a><span> with HTTPS. In Turkey and Syria, users who were trying to download legitimate applications were instead served malicious software intending to spy on them. In Egypt, these devices injected money-making content into users' web traffic, including advertisements and cryptocurrency mining scripts.</span></p>
<p><span>These are all standard </span><a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack"><span>machine-in-the-middle</span></a><span> attacks, where a computer on the path between your browser and a legitimate web server is able to intercept and modify your traffic data. This can happen if your web connections use HTTP, since data sent over HTTP is unencrypted and can be modified or read by anyone on the network.</span></p>
<p><span>The Sandvine middleboxes were doing exactly this. On Türk Telekom’s network, </span><a href="https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/"><span>it was reported</span></a><span> that when a user attempted to download legitimate applications over HTTP, these devices injected fake "redirect" messages which caused the user’s browser to fetch the file from a different, malicious, site. Users downloading common applications like Avast Antivirus, 7-Zip, Opera, CCleaner, and programs from </span><a href="http://download.cnet.com/"><span>download.cnet.com</span></a><span> had their downloads silently redirected. Telecom Egypt’s Sandvine devices, Citizen Lab </span><a href="https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/"><span>noted</span></a><span>, were using similar methods to inject money-making content into HTTP connections, by redirecting existing ad links to affiliate advertisements and legitimate javascript files to cryptocurrency mining scripts.</span></p>
<p><span>Site operators can mitigate these attacks by using HTTPS instead of HTTP. And as a user, it's easy to see when a web page has been loaded over HTTPS—check for “https” at the beginning of the URL or, on most common browsers, a green lock icon displayed next to the address bar. However, it can still be hard to tell when you're downloading files insecurely. For instance, Avast's website was hosted over HTTPS, but </span><a href="https://citizenlab.ca/wp-content/uploads/2018/03/Bad-Traffic-Image-12.png"><span>their downloads were not</span></a><span>.</span></p>
<p><span>Today, </span><a href="https://letsencrypt.org/"><span>Let’s Encrypt</span></a><span> and </span><a href="https://certbot.eff.org/"><span>Certbot</span></a><span> make it easier than ever to deploy HTTPS websites and to serve content securely. And later this year, Chrome is planning on marking </span><a href="https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html"><span>all HTTP sites as “not secure”</span></a><span>. Thanks to these collective efforts and many more, almost <a href="https://letsencrypt.org/stats/">80% of web traffic in the U.S. is now encrypted with HTTPS</a>. If you want to be sure you’re browsing securely, EFF’s </span><a href="https://www.eff.org/https-everywhere"><span>HTTPS Everywhere</span></a><span> browser extension can force your browser to use it wherever possible.</span></p>
<p><span>We've come a long way with HTTPS adoption since 2010, when EFF first started pushing tech companies to </span><a href="https://www.eff.org/deeplinks/2010/10/message-firesheep-baaaad-websites-implement"><span>support it</span></a><span>. Evidently, we still have a long way to go.</span></p>
</div></div></div>Mon, 12 Mar 2018 23:29:09 +000098287 at https://www.eff.orgCommentaryEncrypting the WebState-Sponsored MalwareSydney LiEFF and 23 Groups Tell Congress to Oppose the CLOUD Acthttps://www.eff.org/deeplinks/2018/03/eff-and-x-groups-tell-congress-oppose-cloud-act
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>EFF and 23 other civil liberties organizations sent a letter to Congress urging Members and Senators to oppose the CLOUD Act and any efforts to attach it to other legislation.</p>
<p>The CLOUD Act (<a href="https://www.congress.gov/bill/115th-congress/senate-bill/2383/text">S. 2383</a> and <a href="https://www.congress.gov/bill/115th-congress/house-bill/4943/text">H.R. 4943</a>) is a dangerous bill that would tear away global privacy protections by allowing police in the United States and abroad to grab cross-border data without following the privacy rules of where the data is stored. Currently, law enforcement requests for cross-border data often use a legal system called the Mutual Legal Assistance Treaties, or MLATs. This system ensures that, for example, should a foreign government wish to seize communications stored in the United States, that data is properly secured by the Fourth Amendment requirement for a search warrant.</p>
<p>The other groups signing the new coalition letter against the CLOUD Act are Access Now, Advocacy for Principled Action in Government, American Civil Liberties Union, Amnesty International USA, Asian American Legal Defense and Education Fund (AALDEF), Campaign for Liberty, Center for Democracy &amp; Technology, CenterLink: The Community of LGBT Centers, Constitutional Alliance, Defending Rights &amp; Dissent, Demand Progress Action, Equality California, Free Press Action Fund, Government Accountability Project, Government Information Watch, Human Rights Watch, Liberty Coalition, National Association of Criminal Defense Lawyers, National Black Justice Coalition, New America's Open Technology Institute, OpenMedia, People For the American Way, and Restore The Fourth. </p>
<p>The CLOUD Act allows police to bypass the MLAT system, removing vital U.S. and foreign country privacy protections. As we explained in our earlier letter to Congress, the CLOUD Act would:</p>
<ul><li>Allow foreign governments to wiretap on U.S. soil under standards that do not comply with U.S. law;</li>
<li>Give the executive branch the power to enter into foreign agreements without Congressional approval or judicial review, including foreign nations with a well-known record of human rights abuses;</li>
<li>Possibly facilitate foreign government access to information that is used to commit human rights abuses, like torture; and</li>
<li>Allow foreign governments to obtain information that could pertain to individuals in the U.S. without meeting constitutional standards.</li>
</ul><p>You can read more about EFF’s opposition to the CLOUD Act <a href="https://www.eff.org/deeplinks/2018/02/cloud-act-dangerous-expansion-police-snooping-cross-border-data">here</a>.</p>
<p>The CLOUD Act creates a new channel for foreign governments seeking data about non-U.S. persons who are outside the United States. This new data channel is not governed by the laws of where the data is stored. Instead, the foreign police may demand the data directly from the company that handles it. Under the CLOUD Act, should a foreign government request data from a U.S. company, the U.S. Department of Justice would not need to be involved at any stage. Also, such requests for data would not need to receive individualized, prior judicial review before the data request is made.</p>
<p>The CLOUD Act’s new data delivery method lacks not just meaningful judicial oversight, but also meaningful Congressional oversight, too. Should the U.S. executive branch enter a data exchange agreement—known as an “executive agreement”—with foreign countries, Congress would have little time and power to stop them. As we wrote in our letter:</p>
<blockquote><p>“[T]he CLOUD Act would allow the executive branch to enter into agreements with foreign governments—without congressional approval. The bill stipulates that any agreement negotiated would go into effect 90 days after Congress was notified of the certification, unless Congress enacts a joint resolution of disapproval, which would require presidential approval or sufficient votes to overcome a presidential veto.”</p>
</blockquote>
<p>And under the bill, the president could agree to enter executive agreements with countries that are known human rights abusers.</p>
<p>Troublingly, the bill also fails to protect U.S. persons from the predictable, non-targeted collection of their data. When foreign governments request data from U.S. companies about specific “targets” who are non-U.S. persons not living in the United States, these governments will also inevitably collect data belonging to U.S. persons who communicate with the targeted individuals. Much of that data can then be shared with U.S. authorities, who can then use the information to charge U.S. persons with crimes. That data sharing, and potential criminal prosecution, requires no probable cause warrant as required by the Fourth Amendment, violating our constitutional rights.</p>
<p>The CLOUD Act is a bad bill. We urge Congress to stop it, and any attempts to attach it to must-pass spending legislation.</p>
<p><a href="https://www.eff.org/document/coalition-letter-opposing-cloud-act">Read the full coalition letter here</a>.</p>
<p class="take-action"><a href="https://act.eff.org/action/stop-the-cloud-act">Take Action</a></p>
<p class="take-explainer">Stop the CLOUD Act</p>
</div></div></div>Mon, 12 Mar 2018 05:36:55 +000098279 at https://www.eff.orgNews UpdateInternationalPrivacyDavid RuizThe Foilies 2018https://www.eff.org/deeplinks/2018/03/foilies-2018
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><h2>Recognizing the Year’s Worst in Government Transparency</h2>
<p>Government transparency laws like the Freedom of Information Act exist to enforce the public’s right to inspect records so we can all figure out what the heck is being done in our name and with our tax dollars. </p>
<p>But when a public agency ignores, breaks or twists the law, your recourse varies by jurisdiction. In some states, when an official improperly responds to your public records request, you can appeal to a higher bureaucratic authority or seek help from an ombudsperson. In most states, you can take the dispute to court.</p>
<p>Public shaming and sarcasm, however, are tactics that can be applied anywhere.</p>
<p>The California-based news organization Reveal tweets photos of chickpeas or coffee beans to represent each day a FOIA response is overdue, and asks followers to guess how many there are. The alt weekly <em>DigBoston</em> has sent multiple birthday cakes and edible arrangements to local agencies on the one-year anniversary of delayed public records requests. And here, at the Electronic Frontier Foundation, we give out The Foilies during Sunshine Week, an annual celebration of open-government advocacy.</p>
<p>In its fourth year, The Foilies recognizes the worst responses to records requests, outrageous efforts to stymie transparency and the most absurd redactions. These tongue-in-cheek pseudo-awards are hand-chosen by EFF’s team based on nominations from fellow transparency advocates, participants in <span><a href="https://twitter.com/hashtag/foiafriday?f=tweets&amp;vertical=default&amp;src=hash">#FOIAFriday</a></span> on Twitter, and, in some cases, our own personal experience. </p>
<p>If you haven’t heard of us before, EFF is a nonprofit based in San Francisco that works on the local, national and global level to defend and advance civil liberties as technology develops. As part of this work, we file scores of public records requests and take agencies like the U.S. Department of Justice, the Department of Homeland Security, and the Los Angeles Police Department to court to liberate information that belongs to the public. </p>
<p>Because shining a spotlight is sometimes the best the litigation strategy, we are pleased to announce the 2018 winners of The Foilies.</p>
<p>Quick links to the winners: </p>
<ul><li><a href="#mulligan">The Mulligan Award - Pres. Donald J. Trump</a></li>
<li><a href="#FOIAFee">FOIA Fee of the Year - Texas Department of Criminal Justice</a></li>
<li><a href="#transparencytheater">Best Set Design in a Transparency Theater Production - Atlanta Mayor Kasim Reed</a></li>
<li><a href="#analog">Special Achievement for Analog Conversion - Former Seattle Mayor Ed Murray</a></li>
<li><a href="#winger">The Winger Award for FOIA Feet Dragging - FBI</a></li>
<li><a href="#prime">The Prime Example Award – Midcoast Regional Redevelopment Authority (Maine)</a></li>
<li><a href="#desayuno">El Premio del Desayuno Más Redactado - CIA</a></li>
<li><a href="#bully">The Courthouse Bully Award - Every Agency Suing a Requester</a></li>
<li><a href="#lawless">The Lawless Agency Award - U.S. Customs and Border Protection</a></li>
<li><a href="#kafka">The Franz Kafka Award for Most Secrets About Secretive Secrecy - CIA</a></li>
<li><a href="#overreach">Special Recognition for Congressional Overreach - U.S. House of Representatives</a></li>
<li><a href="#disappearance">The Data Disappearance Award - Trump Administration</a></li>
<li><a href="#dark">The Danger in the Dark Award - The Army Corps of Engineers</a></li>
<li><a href="#bpa">The Business Protection Agency Award - The Food and Drug Administration</a></li>
<li><a href="#mailman">The Exhausted Mailman Award - Bureau of Indian Affairs</a></li>
<li><a href="#crimepunishment">Crime &amp; Punishment Award - Martin County Commissioners (Florida)</a></li>
<li><a href="#squarefootage">The Square Footage Award - Jacksonville Sheriff’s Office (Florida)</a></li>
<li><a href="#jedi">These Aren’t the Records You’re Looking For Award - San Diego City Councilmember Chris Cate</a></li>
</ul><h3><a id="mulligan"></a>The Mulligan Award - Pres. Donald J. Trump </h3>
<p class="image-right"><img src="/files/2018/03/07/mar-a-lago-1.png" width="300" height="302" alt="" /></p>
<p>Since assuming the presidency, Donald Trump has skipped town more than 55 days to visit his Mar-a-Lago resort in Florida, according to sites like <span><a href="http://trumpgolfcount.com/">trumpgolfcount.com</a></span> and <span><a href="https://www.nbcnews.com/politics/donald-trump/how-much-time-trump-spending-trump-properties-n753366">NBC</a></span>. He calls it his “Winter White House,” where he wines and dines and openly strategizes how to respond to North Korean ballistic missile tests with the Japanese prime minister for all his paid guests to see and post on Facebook. The fact that Trump’s properties have become secondary offices and remain a source of income for his family raises significant questions about transparency, particularly if club membership comes with special access to the president. To hold the administration accountable, Citizens for Responsibility and Ethics in Washington filed a FOIA request for the visitor logs, but received little in response. CREW sued and, after taking another look, the Secret Service provided details about the Japanese leader’s entourage. As <span><a href="https://www.politico.com/story/2017/10/05/mar-a-lago-visitor-logs-secret-service-trump-243478">Politico</a></span> and <span><a href="http://thehill.com/homenews/administration/350874-wh-turns-over-just-one-page-on-mar-a-lago-in-response-to-foia-request">others</a></span> reported, the Secret Service ultimately admitted they’re not actually keeping track. The same can’t be said about Trump’s golf score. </p>
<h3><a id="FOIAFee"></a>FOIA Fee of the Year - Texas Department of Criminal Justice</h3>
<p>Sexual assault in prison is notoriously difficult to measure due to stigma, intimidation, and apathetic bureaucracy. Nevertheless, <span><a href="https://www.muckrock.com/news/archives/2017/aug/18/texas-million/">MuckRock reporter</a></span> Nathanael King made a valiant effort to find out whatever he could about these investigations in Texas, a state once described by<span><a href="https://www.dallasvoice.com/texas-prison-rape-capital-u-s-10105138.html"> the<em> Dallas Voice</em></a></span> as the “Prison Rape Capital of the U.S.” However, the numbers that the Texas Department of Criminal Justice came back with weren’t quite was he was expecting. TDCJ demanded he fork over a whopping $1,132,024.30 before the agency would release 260,000 pages of records that it said would take 61,000 hours of staff time to process. That in itself may be an indicator of the scope of the problem. However, to the agency’s credit, they pointed the reporter in the direction of other statistical records compiled to comply with the federal Prison Rape Elimination Act, which TDCJ provided for free. </p>
<h3><a id="transparencytheater"></a>Best Set Design in a Transparency Theater Production - Atlanta Mayor Kasim Reed</h3>
<p class="image-right"><img src="/files/2018/03/07/foia-boxes-2.png" width="300" height="343" alt="" /></p>
<p>“Transparency theater” is the term we use to describe an empty gesture meant to look like an agency is embracing open government, when really it’s meant to obfuscate. For example, an agency may dump an overwhelming number of documents and put them on display for cameras. But because there are so many records, the practice actually subverts transparency by making it extremely difficult to find the most relevant records in the haystack.</p>
<p>Such was the case with Atlanta Mayor Kasim Reed, who released 1.476 million documents about a corruption probe to show his office was supporting public accountability.</p>
<p>“The documents filled hundreds of white cardboard boxes, many stacked up waist high against walls and spread out over rows of tables in the cavernous old City Council chamber,” <span><a href="http://www.myajc.com/news/local-govt--politics/atlanta-releases-millions-documents-federal-bribery-probe/Ynw3XpqpoCPu50uZkVM9sI/"><em>Atlanta Journal-Constitution</em> reporter Leon Stafford wrote</a></span>. “Reed used some of the boxes as the backdrop for his remarks, creating a six-foot wall behind him.” </p>
<p></p><div class="caption caption-center"><div class="caption-width-container"><div class="caption-inner"><img src="/files/styles/large/public/2018/03/07/kasim_reed_03_vert.jpeg?itok=s2Y6bdLW" width="360" height="480" alt="" title="" class="image-large" /><p class="caption-text">FOIA papercuts Credit: J. Scott Trubey/AJC</p></div></div></div>
<p>Journalists began to dig through the documents and quickly discovered that many were blank pages or fully redacted, and in some cases the type was too small for anyone to read. AJC reporter J. Scott Trubey’s hands became covered in papercut gore. Ultimately, the whole spectacle was a waste of trees: The records already existed in a digital format. It’s just that a couple of hard drives on a desk don’t make for a great photo op.</p>
<h3><a id="analog"></a>Special Achievement for Analog Conversion - Former Seattle Mayor Ed Murray </h3>
<p class="center-image"></p><div class="caption caption-center"><div class="caption-width-container"><div class="caption-inner"><img src="/files/styles/large/public/2018/03/07/phone_photo_copy.jpg?itok=ne-OZc0s" width="371" height="480" alt="" title="" class="image-large" /><p class="caption-text">Credit: Phil Mocek</p></div></div></div>
<p>In the increasingly digital age, more and more routine office communication is occurring over mobile devices. With that in mind, transparency activist Phil Mocek <span><a href="https://www.muckrock.com/news/archives/2017/may/04/seattle-text-messages-phone">filed a request</a></span> for text messages (and other app communications) sent or received by now-former Seattle Mayor Ed Murray and many of his aides. The good news is the city at least partially complied. The weird news is that rather than seek the help of an IT professional to export the text messages, some staff simply plopped a cell phone onto a photocopier. Mocek tells EFF he’s frustrated that the mayor’s office refused to search their personal devices for relevant text messages. They argued that city policy forbids using personal phones for city business—and of course, no one would violate those rules. However, we’ll concede that thwarting transparency is probably the least of the allegations against Murray, who resigned in September 2017 amid a child sex-abuse scandal.</p>
<h3><a id="winger"></a>The Winger Award for FOIA Feet Dragging - FBI</h3>
<p class="image-right"><img src="/files/2018/03/07/fbi-winger-1.png" width="300" height="282" alt="" /></p>
<p>Thirty years ago, the hair-rock band Winger released “Seventeen”—a song about young love that <em>really</em> hasn’t withstood the test of time. Similarly, the FBI’s claim that it would take 17 years to produce a series of records about civil rights-era surveillance also didn’t withstand the judicial test of time. </p>
<p><span><a href="https://www.politico.com/blogs/under-the-radar/2017/07/29/judge-balks-fbi-foia-timeline-17-years-241127">As Politico reported</a></span>, George Washington University professor and documentary filmmaker Nina Seavey asked for records about how the FBI spied on antiwar and civil rights activists in the 1960s and 1970s. The FBI claimed they would only process 500 pages a month, which would mean the full set of 110,000 pages wouldn’t be complete until 2034. </p>
<p>Just as Winger’s girlfriend’s dad disapproved in the song, so did a federal judge, writing in her opinion: “The agency's desire for administrative convenience is simply not a valid justification for telling Professor Seavey that she must wait decades for the documents she needs to complete her work.”</p>
<h3><a id="prime"></a>The Prime Example Award – Midcoast Regional Redevelopment Authority (Maine)</h3>
<p>When Amazon announced last year it was seeking a home for its second headquarters, municipalities around the country rushed to put together proposals to lure the tech giant to their region. Knowing that in Seattle Amazon left a substantial footprint on a community (particularly around housing), transparency organizations like MuckRock and the Lucy Parsons Labs <span><a href="https://www.muckrock.com/project/america-bids-on-amazon-175/">followed up with records requests </a></span>for these cities’ sales pitches. </p>
<p>More than 20 cities, such as Chula Vista, California, and Toledo, Ohio, produced the records—but other agencies, including Albuquerque, New Mexico, and Jacksonville, Florida, refused to turn over the documents. The excuses varied, but perhaps the worst response came from <span><a href="https://www.muckrock.com/news/archives/2017/nov/16/maine-750/?utm_content=buffer30f27&amp;utm_medium=social&amp;utm_source=twitter.com&amp;utm_campaign=buffer">Maine’s Midcoast Regional Redevelopment Authority</a></span>. The agency did provide the records, but claimed that by opening an email containing 37 pages of documents, MuckRock had automatically agreed to pay an exorbitant $750 in “administrative and legal fees.” Remind us to disable one-click ordering. </p>
<h3><a id="desayuno"></a>El Premio del Desayuno Más Redactado - CIA</h3>
<p class="image-right"><img src="/files/2018/03/07/cia-burrito.png" width="300" height="305" alt="" /></p>
<p>Buzzfeed reporter <span><a href="https://twitter.com/JasonLeopold/status/957382952102477824">Jason Leopold</a></span> has filed thousands of records requests over his career, but one redaction has become his all-time favorite. Leopold was curious whether CIA staff are assailed by the same stream of office announcements as every other workplace. So, he filed a FOIA request—and holy Hillenkoetter, do they. Deep in the document set was an announcement that “the breakfast burritos are back by popular demand,” with a gigantic redaction covering half the page citing a personal privacy exemption. What are they hiding? Is Anthony Bourdain secretly a covert agent? Did David Petraeus demand extra guac? This could be the CIA’s greatest Latin American mystery since Nicaraguan Contra drug-trafficking.<u> </u></p>
<h3><a id="bully"></a>The Courthouse Bully Award - Every Agency Suing a Requester </h3>
<p>As director of the privacy advocacy group We See You Watching Lexington, Michael Maharrey filed a public records request to find out how his city was spending money on surveillance cameras. After the Lexington Police Department denied the request, he appealed to the Kentucky Attorney General’s office—and won. </p>
<p>Rather than listen to the state’s top law enforcement official, Lexington Police hauled Maharrey into court. </p>
<p>As the <a href="https://apnews.com/7f6ed0b1bda047339f22789a10f64ac4/New-secrecy-tactic:-suing-people-who-seek-public-records">Associated Press reported</a> last year, lawsuits like these are reaching epidemic proportions. The Louisiana Department of Education sued a retired educator who was seeking school enrollment data for his blog. Portland Public Schools in Oregon sued a parent who was curious about employees paid while on leave for alleged misconduct. Michigan State University sued ESPN after it requested police reports on football players allegedly involved in a sexual assault. Meanwhile, the University of Kentucky and Western Kentucky University have each sued their own student newspapers whose reporters were investigating sexual misconduct by school staff.</p>
<p>These lawsuits are despicable. At their most charitable, they expose huge gaps in public records laws that put requesters on the hook for defending lawsuits they never anticipated. At their worst, they are part of a systematic effort to discourage reporters and concerned citizens from even thinking of filing a public records request in the first place. </p>
<h3><a id="lawless"></a>The Lawless Agency Award - U.S. Customs and Border Protection </h3>
<p>In the chaos of President Trump’s immigration ban in early 2017, the actions of U.S. Customs and Border Protection agents and higher-ups verged on <a href="https://www.thedailybeast.com/border-patrol-ordered-to-block-congressmen-during-travel-ban">unlawful</a>. And if CBP officials already had their mind set on violating all sorts of laws and the Constitution, flouting FOIA seems like small potatoes. </p>
<p>Yet that’s precisely what CBP did when the ACLU <a href="https://www.aclu.org/news/aclu-files-demands-documents-implementation-trumps-muslim-ban">filed a series of FOIA requests</a> to understand local CBP agents’ actions as they implemented Trump’s immigration order. ACLU affiliates throughout the country filed 18 separate FOIA requests with CBP, each of which targeted records documenting how specific field offices, often located at airports or at physical border crossings, were managing and implementing the ban. The requests made clear that they were not seeking agency-wide documents but rather wanted information about each specific location’s activities.</p>
<p>CBP ignored the requests and, when several ACLU affiliates <a href="https://www.aclu.org/news/aclu-files-lawsuits-demanding-local-documents-implementation-trump-muslim-ban">filed 13 different lawsuits</a>, CBP sought to further delay responding by asking a federal court panel to consolidate all the cases into a single lawsuit. To use this procedure—which is usually reserved for class actions or other complex national cases—CBP essentially misled courts about each of the FOIA requests and claimed each was seeking the exact same set of records.</p>
<p>The court panel saw through CBP’s shenanigans and refused to consolidate the cases. But CBP basically ignored the panel’s decision, acting as though it had won. First, it behaved as though all the requests came from a single lawsuit by processing and batching all the documents from the various requests into a single production given to the ACLU. Second, it selectively released records to particular ACLU attorneys, even when those records weren’t related to their lawsuits about activities at local CBP offices.</p>
<p>Laughably, CBP blames the ACLU for its self-created mess, calling their requests and lawsuits “haphazard” and arguing that the ACLU and other FOIA requesters have strained the agency’s resources in seeking records about the immigration ban. None of that would be a problem if CBP had responded to the FOIA requests in the first place. Of course, the whole mess could also have been avoided if CBP never implemented an unconstitutional immigration order. </p>
<h3><a id="kafka"></a>The Franz Kafka Award for Most Secrets About Secretive Secrecy - CIA </h3>
<p>The CIA’s aversion to FOIA is legendary, but this year the agency doubled down on its mission of thwarting transparency. As <a href="https://twitter.com/NatSecGeek">Emma Best</a> detailed for MuckRock, the intelligence agency had <a href="https://www.muckrock.com/news/archives/2017/jul/06/cia-126-reasons/">compiled a 20-page report</a> that laid out at least 126 reasons why it could deny FOIA requests that officials believed would disclose the agency’s “sources and methods.” </p>
<p>But that report? Yeah, it’s totally classified. So not only do you not get to know what the CIA’s up to, but its reasons for rejecting your FOIA request are also a state secret. </p>
<h3><a id="overreach"></a>Special Recognition for Congressional Overreach - U.S. House of Representatives </h3>
<p>Because Congress wrote the Freedom of Information Act, it had the awesome and not-at-all-a-conflict-of-interest power to determine which parts of the federal government must obey it. That’s why it may not shock you that since passing FOIA more than 50 years ago, Congress has never made itself subject to the law.</p>
<p>So far, requesters have been able to fill in the gaps by requesting records from federal agencies that correspond with Congress. For example, maybe a lawmaker writes to the U.S. Department of Puppies asking for statistics on labradoodles. That adorable email chain wouldn’t be available through Congress, but you could get it from the Puppies Department’s FOIA office. (Just to be clear: This isn’t a real federal agency. We just wish it was.)</p>
<p>In 2017 it’s become increasingly clear that some members of Congress believe that FOIA can never reach anything they do, even when they or their staffs share documents or correspond with federal agencies. The House Committee on Financial Services sent <a href="https://www.buzzfeed.com/maryanngeorgantopoulos/house-committee-wants-records-with-treasury-secret?utm_term=.sbWP9ewJ9#.idaqQxjrQ">a threatening letter</a> to the Treasury Department telling them to not comply with FOIA. After the Department of Health and Human Services and the Office of Management and Budget released records that came from the House Ways and Means Committee, the House <a href="https://www.politico.com/story/2017/09/15/house-moves-to-block-access-to-records-foia-242791">intervened</a> in litigation to argue that their records cannot be obtained under FOIA.</p>
<p>In many cases, congressional correspondence with agencies is automatically covered by FOIA, and the fact that a document originated with Congress isn’t by itself enough to shield it from disclosure. The Constitution says Congress gets to write laws; it’s just too bad it doesn’t require Congress to actually read them.</p>
<p class="image-right"><img src="/files/2018/03/07/trump-censor-1.png" width="300" height="293" alt="" /></p>
<h3><a id="disappearance"></a>The Data Disappearance Award - Trump Administration</h3>
<p>Last year, we <a href="https://www.eff.org/deeplinks/2017/03/foilies-2017/#maoa">gave</a> the “Make America Opaque Again Award” award to newly inaugurated President Trump for failing to follow tradition and release his tax returns during the campaign. His talent for refusing to make information available to the public has snowballed into an administration that deletes public records from government websites. From the National Park Service’s <a href="https://newrepublic.com/minutes/146390/national-park-service-scrubbed-92-documents-climate-change-website">climate action plans</a> for national parks, to the U.S.D.A. <a href="http://www.sciencemag.org/news/2017/02/usda-blacks-out-animal-welfare-information">animal welfare datasets</a>, to nonpartisan research on the <a href="https://www.wsj.com/articles/treasury-removes-paper-at-odds-with-mnuchins-take-on-corporate-tax-cuts-winners-1506638463">corporate income tax</a>, the Trump Administration has decided to make facts that don’t support its positions disappear. The best example of this vanishing game is the Environmental Protection Agency’s <a href="https://sunlightfoundation.com/2018/01/04/in-its-first-year-the-trump-administration-has-reduced-public-information-online/">removal of the climate change website</a> in April 2017, which only went back online after being <a href="https://www.nytimes.com/2017/10/20/climate/epa-climate-change.html">scrubbed</a> of climate change references, studies and information to educate the public.</p>
<h3><a id="dark"></a>The Danger in the Dark Award - The Army Corps of Engineers</h3>
<p>When <a href="https://www.muckrock.com/news/archives/2017/jun/02/acoe-dapl-website/">reporters </a>researching the Dakota Access Pipeline on contested tribal lands asked for the U.S. Army Corps of Engineers’ environmental impact statement, they were told nope, you can’t have it. Officials cited public safety concerns as reason to deny the request: “The referenced document contains information related to sensitive infrastructure that if misused could endanger peoples’ lives and property.”</p>
<p>Funny thing is, the Army Corps had already published the same document on its website a year earlier. What changed in that year? Politics. The Standing Rock Sioux, other tribal leaders and “Water Protector” allies had since staged a multi-month <a href="http://www.papermag.com/see-these-moving-photos-from-the-peaceful-nodapl-protests-at-standing--2088113608.html?slide=FaRZMk">peaceful protest</a> and <a href="http://www.papermag.com/see-these-moving-photos-from-the-peaceful-nodapl-protests-at-standing--2088113608.html?slide=FaRZMk">sit-in</a> to halt construction of the pipeline. </p>
<p>The need for public scrutiny of the document became clear in June when a <a href="https://www.reuters.com/article/us-northdakota-pipeline-dapl/federal-judge-orders-more-environmental-analysis-of-dakota-pipeline-idUSKBN19538I">U.S. federal judge</a> found that the environmental impact statement omitted key considerations, such as the impact of an oil spill on the Standing Rock Sioux’s hunting and fishing rights as well as the impact on environmental justice. </p>
<h3><a id="bpa"></a>The Business Protection Agency Award - The Food and Drug Administration</h3>
<p>The FDA’s mission is to protect the public from harmful pharmaceuticals, but they’ve recently fallen into the habit of protecting powerful drug companies rather than informing people about potential drug risks. </p>
<p>This past year, <a href="https://www.scientificamerican.com/article/is-the-fda-withholding-data-about-a-controversial-drug-to-protect-its-manufacturer/">Charles Seife</a> at the <em>Scientific American</em> <a href="https://www.accessdata.fda.gov/drugsatfda_docs/nda/2017/Seife%20Production_2017_09_29%20Part%207_Redacted.pdf">requested documents</a> about the drug approval process for a controversial drug to treat Duchenne muscular dystrophy (DMD). The agency cited business exemptions and obscured listed side effects as well as testing methodology for the drug, despite claims that the drug company manipulated results during product trials and pressured the FDA to push an ineffective drug onto the market. The agency even redacted portions of a <em>Bloomberg Businessweek</em> article about the drug because the story provided names and pictures of teenagers living with DMD.<strong> </strong></p>
<h3><a id="mailman"></a>The Exhausted Mailman Award - Bureau of Indian Affairs</h3>
<p class="image-right"></p><div class="caption caption-center"><div class="caption-width-container"><div class="caption-inner"><img src="/files/styles/large/public/2018/03/07/bia_foia_vert.jpg?itok=GLdTS7Z5" width="270" height="480" alt="" title="" class="image-large" /><p class="caption-text">Credit: Russ Kick</p></div></div></div>
<p>Requesting information that has already been made public should be quick and fairly simple—but not when you’re dealing with the Bureau of Indian Affairs. A nomination sent into EFF requested <a href="https://www.bia.gov/as-ia/foia/reading-room">all logs</a> of previously released FOIA information by the BIA. The requester even stated that he’d prefer links to the information, which agencies typically provide for records they have already put on their website. Instead, BIA printed 1,390 pages of those logs, stuffed them into 10 separate envelopes, and sent them via registered mail for a grand total cost to taxpayers of $179.</p>
<h3><a id="crimepunishment"></a>Crime &amp; Punishment Award - Martin County Commissioners, Florida</h3>
<p>Generally The Foilies skew cynical, because in many states, open records laws are toothless and treated as recommendations rather than mandates. One major exception to the rule is Florida, where violations of its “Sunshine Law” can result in criminal prosecution. </p>
<p>That brings us to Martin County Commissioners Ed Fielding and Sarah Heard and former Commissioner Anne Scott, each of whom were booked into jail in November on multiple charges related to violations of the state’s public records law. As Jose Lambiet of GossipExtra and the <em>Miami Herald</em> <span><a href="http://www.miamiherald.com/entertainment/ent-columns-blogs/jose-lambiet/article187159413.html">reported</a></span>, the case emerges from a dispute between the county and a mining company that already resulted in taxpayers footing a $500,000 settlement in a public records lawsuit. Among the allegations, the officials were accused of destroying, delaying and altering records. </p>
<p>The cases are set to go to trial in December 2018, Lambiet told EFF. Of course, people are innocent until proven guilty, but that doesn’t make public officials immune to The Foilies.<strong> </strong></p>
<h3><a id="squarefootage"></a>The Square Footage Award - Jacksonville Sheriff’s Office (Florida)</h3>
<p>When a government mistake results in a death, it’s important for the community to get all the facts. In the case of 63-year-old Blane Land, who was fatally hit by a Jacksonville Sheriff patrol car, those facts include dozens of internal investigations against the officer behind the wheel. The officer, Tim James, has since been arrested on allegations that he beat a handcuffed youth, <span><a href="http://www.firstcoastnews.com/article/news/why-was-officer-tim-james-still-on-the-street-before-beating-arrest/448134040">raising the question</a></span> of why he was still on duty after the vehicular fatality.</p>
<p>Land’s family hired an attorney, and the attorney filed a request for records. Rather than having a complete airing of the cop’s alleged misdeeds, the sheriff <span><a href="http://www.jacksonville.com/metro/public-safety/news/2017-07-18/sheriff-s-office-wants-family-pay-314k-look-public-records-their">came back</a></span> with a demand for $314,687.91 to produce the records, almost all of which was for processing and searching by the internal affairs division. Amid public outcry over the prohibitive fee, the sheriff took to social media to complain about how much work it would take to go through all the records in the 1,600-foot cubic storage room filled with old-school filing cabinets. </p>
<p>The family is not responsible for the sheriff’s filing system or feng shui, nor is it the family’s fault that the sheriff kept an officer on the force as the complaints—and the accompanying disciplinary records—stacked up.</p>
<h3><a id="jedi"></a>These Aren’t the Records You’re Looking For Award - San Diego City Councilmember Chris Cate</h3>
<p>Shortly after last year’s San Diego Comic-Con and shortly before the release of <em>Star Wars: The Last Jedi</em>, the city of San Diego held a ceremony to name a street after former resident and actor Mark Hamill. A private citizen (whose day job involves writing The Foilies) wanted to know: <span><a href="the-inside-story-of-how-mark-hamill-got-his-own-street-in-san-diego">How does a Hollywood star get his own roadway</a></span>?</p>
<p>The city produced hundreds of pages related to his request that showed how an effort to change the name of Chargers Boulevard after the football team abandoned the city led to the creation of <span><a href="https://www.sandiego.gov/citycouncil/cd6/markhamilldrive">Mark Hamill Drive.</a></span> The document set even included Twitter direct messages between City Councilmember Chris Cate and the actor. However, Cate used an ineffective black marker to redact, accidentally releasing Hamill’s cell phone number and other personal contact details. </p>
<p>As tempting as it was to put Luke Skywalker (and the voice of the Joker) on speed dial, the requester did not want to be responsible for doxxing one of the world’s most beloved actors. He alerted Cate’s office of the error, which then re-uploaded properly redacted documents.</p>
</div></div></div>Sun, 11 Mar 2018 13:42:24 +000098238 at https://www.eff.orgTransparencyDave MaassAaron MackeyCamille FischerLandis + Gyr Agrees to Leave Documents Up, Then Sends Notice to Take Them Downhttps://www.eff.org/deeplinks/2018/03/landis-gyr-agrees-leave-documents-then-sends-notice-take-them-down
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><strong></strong>A Georgia energy company has made two separate attempts to take down public documents that let Seattle residents know how the “smart meters” on their homes work.</p>
<p>Back in 2016, a local activist obtained two documents from the City of Seattle related to the smart meter technology. But some companies involved in making and maintaining that technology went to court and won a quick order that forcing the documents offline by arguing that information about the city’s meters constituted “trade secrets.”</p>
<p>EFF fought back, defending Muckrock’s First Amendment right to publish public documents obtained from a public records request. After our intervention, a Washington state court <a href="https://www.eff.org/deeplinks/2016/06/victory-court-ends-prior-restraint-against-muckrock">reversed</a> the takedown order. In mid-2016, a settlement was reached with Landis + Gyr and Sensus, two of the companies that had attempted to remove the documents. Lawyers for the two companies explicitly <a href="https://www.eff.org/document/landisgyr-v-city-seattle-order-dismissing-muckrock">agreed</a> that the documents could remain public and published at Muckrock’s website.</p>
<p>But in February 2018, Landis + Gyr sent a DMCA notice <a href="https://www.techdirt.com/articles/20180212/16511939214/smart-meter-company-landis-gyr-now-using-copyright-to-try-to-hide-public-records.shtml">demanding a takedown of the exact same documents</a> that, two years earlier, they explicitly agreed could remain online. A copy of the smart meter documents was placed on DocumentCloud, by Techdirt, a technology blog that had reported on the initial 2016 proceedings.</p>
<p>Techdirt noted the futility of trying to remove documents that were already online elsewhere, and suggested that all Landis + Gyr is doing is “reminding everyone that (1) these documents exist online and (2) apparently the company would prefer you not look at these public records about its own systems.”</p>
<p>While the bogus DMCA takedown notice does appear to have succeeded in removing the documents from Document Cloud, you can still find them <a href="https://cdn.muckrock.com/foia_files/2016/06/03/Req_9_Security_Overview.pdf">here</a> and <a href="https://cdn.muckrock.com/foia_files/2016/06/03/LandisGyr_Managed_Services_Report_2015_Final.pdf">here</a>.</p>
</div></div></div>Sat, 10 Mar 2018 01:13:38 +000098277 at https://www.eff.orgFair UseJoe MullinSenators Introduce New Bill to Protect Digital Privacy at the Borderhttps://www.eff.org/deeplinks/2018/03/senators-introduce-new-bill-protect-digital-privacy-border
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Senators Patrick Leahy (D-VT) and Steve Daines (R-MT) introduced a new bill (<a href="https://www.congress.gov/bill/115th-congress/senate-bill/2462">S. 2462</a>) that would better protect the privacy of travelers whose electronic devices—like cell phones and laptops—are searched and seized by border agents. While the new bill doesn’t require a <a href="https://www.eff.org/deeplinks/2017/10/pass-protecting-data-border-act">probable cause warrant across the board</a> like the <a href="https://www.congress.gov/bill/115th-congress/senate-bill/823">Protecting Data at the Border Act (S. 823, H.R. 1899)</a>, it does have many positive provisions and would be a significant improvement over the status quo.</p>
<p>The Leahy-Daines bill, which currently has the long title of “A bill to place restrictions on searches and seizures of electronic devices at the border,” applies to U.S. persons, meaning U.S. citizens or lawful permanent residents. The bill places separate restrictions based on the type of search conducted: manual or forensic.</p>
<p>For “manual” searches of electronic devices, the bill requires that border agents—whether from U.S. Customs and Border Protection (CBP) or U.S. Immigration and Customs Enforcement (ICE)—have reasonable suspicion that the traveler violated an immigrations or customs law and that the electronic device contains evidence relevant to the violation. The bill defines a manual search as an examination of an electronic device without the use of forensic software or the entry of a password. (Imagine a hands-on review of photos on a digital camera with no password on it, or a look through a phone not locked by a fingerprint scanner or passcode.) The definition also appears to include any type of search that lasts less than four hours or doesn’t include the copying or documentation of data on the device. By contrast, the bill requires border agents to obtain a probable cause warrant before conducting a “forensic” search of an electronic device.</p>
<p>These rules would be an improvement over <a href="https://www.eff.org/deeplinks/2018/01/new-cbp-border-device-search-policy-still-permits-unconstitutional-searches">CBP’s current policy</a>, which does not require any level of suspicion for manual searches, and requires reasonable suspicion for forensic searches—unless the forensic search is prompted by a “national security concern” (which we believe is a huge loophole). ICE’s policy continues to permit suspicionless border searches of electronic devices.</p>
<p>The Fourth Amendment, however, requires border agents to obtain a <a href="https://www.eff.org/deeplinks/2018/01/round-effs-advocacy-against-border-device-searches">probable cause warrant</a> before searching electronic devices given the unprecedented and significant privacy interests travelers have in their digital data. And the Constitution’s protections don’t turn on an arbitrary distinction between manual and forensic searches. Recent updates to CBP’s policy don’t cure the constitutional problems with how either agency conducts border searches (and seizures) of electronic devices.</p>
<p>The Leahy-Daines bill also requires that border agents have probable cause to seize an electronic device. They would then have to obtain a warrant from a judge within 48 hours. If a warrant is not obtained within 48 hours, the device must be “immediately” returned to the traveler. We support this probable cause requirement for device seizures, and it’s what we argue in our civil case against CBP and ICE, <a href="https://www.eff.org/cases/alasaad-v-duke"><em>Alasaad v. Nielsen</em></a>.</p>
<p>Importantly, the Leahy-Daines bill includes a suppression remedy if the government violates the law. This means that any information illegally obtained from a traveler’s electronic device during a border search may not be relied upon in any legal, administrative, or legislative proceeding, including an immigration hearing or a criminal trial.</p>
<p>The bill also includes important reporting requirements. These include statistics on the “age, sex, country of origin, citizenship or immigration status, ethnicity, and race” of travelers who were subject to device searches and seizures, which would shed light on whether border agents are acting in a discriminatory manner. The statistics also include the number of travelers whose devices were searched or seized and who were later charged with a crime, which would shed light on how effective device searches and seizures at the border are in rooting out criminals.</p>
<p>The border is not a Constitution-free zone. CBP searched <a href="https://www.cbp.gov/newsroom/national-media-release/cbp-releases-updated-border-search-electronic-device-directive-and">over 30,000 devices</a> last year and the number is rapidly increasing. We are glad to see some members of Congress turning their attention to the rampant problem of unconstitutional border searches and seizures of electronic devices—and the massive privacy invasions by the government that result.</p>
</div></div></div>Fri, 09 Mar 2018 23:54:17 +000098275 at https://www.eff.orgLegislative AnalysisBorder SearchesSophia CopeVideo Game Developer Says He Won't Send a Takedown of a Bad Review, Does So Anywayhttps://www.eff.org/deeplinks/2018/03/video-game-developer-says-he-wont-send-takedown-bad-review-does-so-anyway
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Oh what a tangled web we weave when first we get into a Twitter fight with someone who gave our video game a bad review on YouTube. And when we say that we would never send a DMCA takedown for it. And when one mysteriously turns up anyway.</p>
<p>This is one of the most confusing series of events ever to surround a takedown. First, Richard La Ruina, a man who claims to be a top pickup artist, created a <a href="https://www.theverge.com/2018/3/7/17091066/playstation-store-super-seducer-game">somewhat controversial</a> dating game called <em>Super Seducer</em>. Then, <a href="https://www.youtube.com/user/IAmPattyJack">YouTuber IAmPattyJack</a> (also known as Chris Hodgkinson) covered the game in his “_____ Is the Worst Game Ever” series.</p>
<p>La Ruina took poorly to the bad review Hodgkinson gave <em>Super Seducer</em> and showed up in the video’s comments when it only had about 100 views. Hodgkinson and La Ruina then got <a href="https://twitter.com/RichardGambler/status/966749644230455296?ref_src=twsrc%5Etfw&amp;ref_url=https%3A%2F%2Fwww.plagiarismtoday.com%2F2018%2F03%2F06%2Fthe-worst-false-dmca-notice-ive-seen%2F">into it on Twitter</a>, which did eventually <a href="https://twitter.com/RichardGambler/status/966758783262261249?ref_src=twsrc%5Etfw&amp;ref_url=https%3A%2F%2Fwww.plagiarismtoday.com%2F2018%2F03%2F06%2Fthe-worst-false-dmca-notice-ive-seen%2F">resolve itself</a> into La Ruina acknowledging that giving a review copy to someone who does a “Worst Game Ever” series was perhaps not the smartest move. </p>
<p>That’s when it got weird. Someone else on Twitter applauded La Ruina for admitting he was wrong instead of sending a DMCA takedown. <a href="https://twitter.com/RichardGambler/status/966760789217632256?ref_src=twsrc%5Etfw&amp;ref_url=https%3A%2F%2Fwww.plagiarismtoday.com%2F2018%2F03%2F06%2Fthe-worst-false-dmca-notice-ive-seen%2F">La Ruina responded</a> “ah yeah we have our DMCA subscription,” which is not a thing. (As others <a href="https://www.plagiarismtoday.com/2018/03/06/the-worst-false-dmca-notice-ive-seen/">have pointed out</a>, he may have meant a service that makes filing DMCA takedowns easier.)</p>
<p>Hodgkinson showed back up to say that this was <em>not</em> something La Ruina wanted to do, and <a href="https://twitter.com/RichardGambler/status/966762471481540608?ref_src=twsrc%5Etfw&amp;ref_url=https%3A%2F%2Fwww.plagiarismtoday.com%2F2018%2F03%2F06%2Fthe-worst-false-dmca-notice-ive-seen%2F">La Ruina said he</a> “decided not to, I believe in freedom and democracy and all that american [sic] stuff. We only DMCA when people rip our products.” It got <em>weirder</em> when, contrary to what La Ruina had stated on Twitter, a DMCA notice resulted in the <a href="https://www.polygon.com/2018/2/28/17058040/super-seducer-iampattyjack-dmca-takedown">review getting taken down</a>. Hodgkinson then got an apology letter from La Ruina’s PR people, saying the notice had been retracted, and offering to pay for any lost income Hodgkinson would have as a result of the video vanishing. La Ruina sent Hodgkinson $50, which Hodgkinson said he did not want. It took a while, but the video is finally back on YouTube.</p>
<p>La Ruina’s apparent first instinct—that he should not send a DMCA takedown aimed at a review—was the correct one. It’s not infringement and therefore not what takedown notices are for. But La Ruina also wrongly framed it as his choice, stemming out of benevolence on his part, and not a necessary aspect of the takedown process. And that is where we constantly run into problems. DMCA takedowns are supposed to be for infringement and not silencing criticism. But the perception that they are a tool for that is so pervasive that merely following the rules makes you look like the good guy.</p>
<p>Even with all of those factors, the video was still down for days. It seems that the DMCA ends up being a censorship tool even when people say they will do the right thing.</p>
<p><em>This is an entry in the <a href="https://www.eff.org/takedowns">Takedown Hall of Shame</a>, highlighting the worst of bogus copyright and trademark complaints.</em></p>
</div></div></div>Fri, 09 Mar 2018 21:09:14 +000098272 at https://www.eff.orgCommentaryCreativity & InnovationFair UseDMCAKatharine TrendacostaSenators Pressure Platforms for Private Censorship of Drug Informationhttps://www.eff.org/deeplinks/2018/03/senators-and-big-pharma-level-inaccurate-drug-accusations-against-platforms
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Last month Senators Chuck Grassley (R-Iowa), Dianne Feinstein (D-Calif.), Amy Klobuchar (D-Minn.), John Kennedy (R-La.) and Sheldon Whitehouse (D-R.I.) <a href="https://www.grassley.senate.gov/news/news-releases/grassley-feinstein-colleagues-urge-tech-companies-clamp-down-illegal-online-drug">separately wrote</a> to <a href="https://www.judiciary.senate.gov/download/grassley-feinstein-et-al-to-google_-online-drug-trade">Google</a>, <a href="https://www.judiciary.senate.gov/download/grassley-feinstein-et-al-to-microsoft_-online-drug-trade">Microsoft</a>, <a href="https://www.judiciary.senate.gov/download/grassley-feinstein-et-al-to-yahoo_-online-drug-trade">Yahoo</a> and <a href="https://www.judiciary.senate.gov/download/grassley-feinstein-et-al-to-pinterest_-online-drug-trade">Pinterest</a> accusing them of facilitating trade in illegal narcotics and prescription drugs. The near-identical letters demand that each of the recipients:</p>
<blockquote><p><span>consider removing from its platform content that advertises the use of or enables the sale of illicit narcotics, including the sale of prescription drugs without a valid prescription. We further request that [it] consider action to ensure that future, similar content is banned.</span></p>
</blockquote>
<p>The letter specifies that the platforms concerned should censor search results for illicit drugs, and ensure that when users search for prescription medicines they be "automatically directed" to approved U.S.-based suppliers. Attachments to the letters include printouts of organic search listings, with a few results on each page circled, apparently containing information about suppliers who will sell drugs without prescription. (The same printouts reveal some stern anti-drug warnings in the top few results, both organic and paid.)</p>
<p>The letters were announced in a mailing to members of the Alliance for Safe Online Pharmacies (ASOP), a pharma industry lobby group, on the same day that the letters were sent. (Beyond that, we don't know whether there was any coordination between the Senators and ASOP in drafting the letter; and because Congress is exempt from FOIA requests, it would be difficult for us to find out.)</p>
<p>ASOP is also one of the principal contributors to United States Trade Representative (USTR) reports such as the <a href="https://www.eff.org/deeplinks/2017/04/post-tpp-special-301-report-shows-how-little-has-changed">Special 301 Report</a> and the <a href="https://www.eff.org/deeplinks/2016/12/ustr-gets-piracy-website-listing-notoriously-wrong">Notorious Markets List</a>, and it makes similar censorship demands in its submissions to those reports. For example in <a href="https://buysaferx.pharmacy//wp-content/uploads/2016/11/us_report_ustr_100317.pdf">its submission</a> [PDF] to the 2017 Notorious Markets report, ASOP recommends that domain name registrars should "voluntarily lock and suspend illegitimate websites" rather than requiring a court order.</p>
<p>By "illegitimate", ASOP doesn't mean that the website is selling fake drugs; its complaint extends to branded drugs that are merely "transported without the requisite quality controls" (ie. sent through the mail). Neither is it targeting only recreational drugs; ASOP's submission acknowledges that most overseas drug sales are for "chronic illness and/or maintenance drugs for diseases such as HIV/AIDS, hypertension, [and] hypercholesterolemia." Rather, an "illegitimate" online pharmacy in ASOP lingo is one that doesn't comply with U.S. law that prohibits online medicine sales from overseas—even though, because they <em>are</em> overseas, they are <a href="https://www.eff.org/deeplinks/2016/09/how-big-pharmas-shadow-regulation-censors-internet">not actually subject to U.S. law</a> in the first place.</p>
<p>There might well be a case to be made for tighter regulation of sales of prescription and non-prescription drugs online. But to progress from that proposition to the proposal that information about such drugs should be censored from search engines and online marketplaces, and without a court order at that, is quite a leap. It's concerning that ASOP's recommendations are often incorporated holus bolus into the USTR's reports without independent verification, and that the responsibility for fact-checking of its claims is placed on rebuttal submissions from third-parties.</p>
<p>We are even more concerned about the approach taken by the Senators who wrote the letter to major platforms. For U.S. Senators, with the imprimatur of official authority that their offices represent, to prevail on platforms to privately censor content, is a blatant form of <a href="https://eff.org/issues/shadow-regulation">Shadow Regulation</a>, intended to intimidate them into compliance.</p>
<p>If the Senators are serious in their desire for these Internet platforms to censor organic search results, they could table a bill aimed at achieving that object, and have it debated in both houses of Congress. Instead, knowing that such a law would likely be unconstitutional, they are seeking to achieve the same result without a transparent and accountable lawmaking process. The Senators should know better, and we encourage platforms receiving such letters to resist these extra-legal demands.</p>
</div></div></div>Fri, 09 Mar 2018 18:18:50 +000098262 at https://www.eff.orgCommentaryShadow RegulationJeremy MalcolmStop SESTA/FOSTA: Don’t Let Congress Censor the Internethttps://www.eff.org/deeplinks/2018/03/stop-sestafosta-dont-let-congress-censor-internet
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>The U.S. Senate is about to vote on a bill that would be disastrous for online speech and communities. </p>
<p>The Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA, <a href="https://www.congress.gov/bill/115th-congress/house-bill/1865">H.R. 1865</a>) might sound appealing, but it would do nothing to fight sex traffickers. What it <em>would</em> do is <a href="https://www.eff.org/deeplinks/2018/02/fosta-would-be-disaster-online-communities">silence a lot of legitimate speech online</a>, shutting some voices out of online spaces.</p>
<p>This dangerous bill has <a href="https://www.eff.org/deeplinks/2018/02/house-vote-fosta-win-censorship">already passed the House of Representatives</a>, and it’s expected to come up for a Senate vote in the next few days. If you care about preserving the Internet as a place where everyone can gather, learn, and share ideas—even controversial ones—it’s time to call your senators.</p>
<p class="take-action"><a href="https://stopsesta.org/">Take Action</a></p>
<p class="take-explainer"><a href="https://stopsesta.org/">Stop SESTA/FOSTA</a></p>
<p>The version of FOSTA that’s passed the House is actually a Frankenstein combination of two different bills, <a href="https://www.eff.org/deeplinks/2017/12/amended-version-fosta-would-still-silence-legitimate-speech-online">an earlier version of FOSTA</a> and a bill called the <a href="https://www.eff.org/deeplinks/2017/08/internet-censorship-bill-would-spell-disaster-speech-and-innovation">Stop Enabling Sex Traffickers Act</a> (SESTA).</p>
<p>How would one bill do so much damage to communities online? Simple: it would scare online platforms into censoring their users.</p>
<p>Online platforms are enabled by a law referred to as Section 230. Section 230 protects online platforms from liability for some types of speech by their users. Without Section 230, social media would not exist in its current form, and neither would the plethora of nonprofit and community-based online groups that serve as crucial outlets for free expression and knowledge sharing.</p>
<p>If Congress undermined these important protections by passing SESTA/FOSTA, many online platforms would be forced to place strong restrictions on their users’ speech, censoring a lot of people in the process. And as we’ve discussed before, when platforms clamp down on their users’ speech, <a href="https://www.eff.org/deeplinks/2017/09/stop-sesta-whose-voices-will-sesta-silence">marginalized voices are disproportionately silenced</a>.</p>
<p>Censorship is not the solution to sex trafficking. This is our last chance: call your senators now and <a href="https://stopsesta.org/">urge them to oppose SESTA/FOSTA</a>.</p>
<p class="take-action"><a href="https://stopsesta.org/">Take Action</a></p>
<p class="take-explainer"><a href="https://stopsesta.org/">Stop SESTA/FOSTA</a></p>
</div></div></div>Thu, 08 Mar 2018 16:08:48 +000098263 at https://www.eff.orgCall To ActionFree SpeechSection 230 of the Communications Decency ActElliot HarmonFair Use and Platform Safe Harbors in NAFTAhttps://www.eff.org/deeplinks/2018/03/fair-use-and-platform-safe-harbors-nafta
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p class="p1"><span class="s1">Negotiators from Mexico, Canada and the United States were in Mexico City this week for a tense seventh round of negotiations over a modernized version of <a href="https://eff.org/issues/nafta">NAFTA</a>, the North American Free Trade Agreement. With</span><span class="s1"> President Trump's announcement of tough new <a href="https://www.reuters.com/article/us-usa-trade/trade-wars-are-good-trump-says-defying-global-concern-over-tariffs-idUSKCN1GE1PM">unilateral tariffs on imports of steel and aluminum</a>, and the commencement of the Mexican election season later this month, pressure to conclude the deal—or for the United States to withdraw from it—is mounting. </span><span class="s1">In all of this, there is a risk that the issues that are of concern to Internet users are being sidelined.</span></p>
<p class="p1 image-left"><span class="s1"><div class="caption caption-center"><div class="caption-width-container"><div class="caption-inner"><img src="/files/styles/large/public/2018/03/02/img_20180227_121542012_burst000_cover_top.jpg?itok=S-j4bc_w" alt="A group of people, some of them wearing Donald Trump masks, standing with protest banners" title=" negotiations in Mexico City" class="image-large" width="360" height="480" /><p class="caption-text">Protesters at the 7th round of NAFTA</p></div></div></div></span></p>
<p><span class="s1">One of these issues is the need for balance in the intellectual property chapter of the agreement, in particular by requiring the countries to have copyright limitations and exceptions such as <a href="http://infojustice.org/archives/39629">fair use</a>. This is particularly important if, as we have reason to fear, the rest of the chapter contains provisions that exceed the international copyright norms established in the <a href="https://www.eff.org/issues/trips">TRIPS Agreement</a>. According to the latest unofficial information that we have, the United States Trade Representative (USTR) is not negotiating for a fair use provision in NAFTA. Without such a provision, the new NAFTA will be worse than even the original version of the TPP, which did have a copyright balance provision, albeit an <a href="https://www.eff.org/deeplinks/2015/08/will-hollywoods-whining-thwart-better-tpp-copyright-rules">optional and weak</a> one.</span></p>
<p class="p1"><span class="s1">The new NAFTA should also include <a href="https://blog.ericgoldman.org/archives/2018/01/55-academics-and-advocates-urge-nafta-trade-negotiators-to-add-internet-immunity.htm">platform safe harbors</a>, to ensure that Internet intermediaries, such as ISPs, social networking websites, open WiFi hotspots or caching providers, are not held liable for the speech of their users. EFF addressed this issue in its remarks at </span><span class="s1"><a href="https://www.youtube.com/watch?v=0mNML3GX7Vk">¿Modernización o retroceso? Amenazas al medio ambiente e internet en la renegociación del TLCAN</a>, a forum held at the Mexican Senate on Friday March 2.</span></p>
<p class="p1"><span class="s1">We emphasized in our presentation that we aren't arguing for platform safe harbors for the benefit of the large platforms themselves. The platforms are far from perfect, and the decisions that they make to restrict users' content <a href="https://www.eff.org/deeplinks/2018/01/private-censorship-not-best-way-fight-hate-or-defend-democracy-here-are-some">are frequently wrong</a>. But that's exactly why safe harbors are important. </span><span class="s1">Without safe harbor rules, the Internet platforms that most Internet users depend upon to communicate and share online are likely to censor <em>more</em> of their users' speech, in an effort to reduce their own possible legal exposure.</span></p>
<h3 class="p1"><span class="s1">A Tale of Two Safe Harbors</span></h3>
<p><span class="s1">Two separate safe harbor provisions are planned for NAFTA, and both are in trouble. The first is the </span>copyright safe harbor, which in the U.S. is based on section 512 of the DMCA or <a href="https://www.eff.org/issues/dmca">Digital Millennium Copyright Act. </a> In a nutshell, this safe harbor would protect Internet platforms from liability when their users infringe copyright, so long as the platforms take the allegedly infringing material down after they get a complaint. Canada also has a copyright safe harbor system, which is a little different (and better) because it doesn't require the platform to take the content down, only to <a href="https://www.eff.org/deeplinks/2015/12/how-tpp-perpetuates-mistakes-dmca">notify the person who uploaded it</a> about the complaint.</p>
<p>The copyright safe harbor in NAFTA is under pressure from rightsholders who want to impose secondary liability on platforms who don't do enough to limit copyright infringement by users. Due to the secrecy surrounding the agreement we haven't seen exactly what the more limited provision might look like, but we can guess from industry stakeholder lobbying that it will include a requirement to adopt <a href="http://conservative.org/wp-content/uploads/2017/12/NAFTA-IP-Coalition-Letter-Final.pdf">effective online enforcement regimes</a> [PDF], possibly similar to the SOPA-like censorship system <a href="https://www.eff.org/deeplinks/2018/02/will-canada-be-new-testing-ground-sopa-lite-canadian-media-companies-hope-so">currently under consideration in Canada</a>.</p>
<p>The second safe harbor under consideration in NAFTA would apply to almost everything else that isn't copyright, for example defamation and hateful speech. In the US, that safe harbor is found in <a href="https://www.eff.org/issues/cda230">Section 230</a> (also called CDA 230). Unlike the DMCA, it doesn't require the platform in question to automatically take anything down. For example, under U.S. law a search engine isn't required to censor its search results if one of the results that comes up is alleged to be defamatory. And a good thing too, or we would see even more private censorship.</p>
<p>Mexico and Canada don't have an equivalent to Section 230, and the U.S. is proposing that they should—not so much because it promotes freedom of expression online, but because it would make it easier for American online platforms to operate safely and legally throughout the region. From what we have heard in the corridors of the closed negotiations, Canada and Mexico are pushing back hard on a Section 230-like provision in NAFTA, but for now the USTR is continuing to maintain it as a negotiating objective.</p>
<p class="p1"><span class="s1"></span><span class="s1"></span>It would be great if EFF and other groups representing users could speak directly with negotiators on issues such as fair use, the need to avoid placing restrictive conditions on copyright safe harbor rules, and the benefits that a Section 230-style safe harbor could bring to the online freedom of expression of Internet users throughout North America. But unfortunately the NAFTA negotiations are <a href="https://www.eff.org/deeplinks/2017/09/shrinking-transparency-nafta-and-rcep-negotiations">so closed and opaque</a> that it's difficult for us to do that. We'll keep doing what we can to let the negotiators know our concerns, but ultimately what's needed is a <a href="https://www.eff.org/deeplinks/2017/05/ustr-takes-office-eff-sets-out-our-demands-trade-transparency">much more open and inclusive process</a>, to ensure that trade agreements such as NAFTA reflect the needs of all rather than just those of well-connected corporate lobbies.</p>
</div></div></div>Wed, 07 Mar 2018 23:05:10 +000098228 at https://www.eff.orgCommentaryNAFTAJeremy MalcolmTen Hours of Static Gets Five Copyright Noticeshttps://www.eff.org/deeplinks/2018/03/ten-hours-static-gets-five-copyright-notices
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Sebastian Tomczak <a href="http://little-scale.blogspot.com/">blogs</a> about technology and sound, and has a <a href="https://www.youtube.com/channel/UCyKfA_u5OAFIvx6DR5gxUVQ">YouTube channel</a>. In 2015, <a href="https://www.adelaide.edu.au/directory/sebastian.tomczak">Tomczak</a> uploaded a ten-hour video of white noise. Colloquially, white noise is persistent background noise that can be soothing or that you don’t even notice after a while. More technically, white noise is many frequencies played at equal intensity. In Tomczak’s video, that amounted to ten hours of, basically, static.</p>
<p>In the beginning of 2018, as a result of YouTube’s Content ID system, <a href="https://www.techdirt.com/articles/20180105/10292038938/white-noise-youtube-gets-five-separate-copyright-claims-other-white-noise-providers.shtml">a series of copyright claims</a> were made against Tomczak’s video. <a href="https://twitter.com/littlescale/status/949032404206870528">Five different claims</a> were filed on sound that Tomczak created himself. Although the claimants didn’t force Tomczak’s video to be taken down they all opted to monetize it instead. In other words, ads on the ten-hour video would now generate revenue for those claiming copyright on the static.</p>
<p>Normally, getting out of this arrangement would have required Tomczak to go through the lengthy counter-notification process, but Google decided to drop the claims. <a href="https://blogs.adelaide.edu.au/adelaidex/2018/01/22/the-aftermath-of-the-white-noise-youtube-copyright-claims-a-qa-with-dr-sebastian-tomczak/">Tomczak believes </a>it’s because of the publicity his story got. But hoping your takedown goes viral or using the <a href="https://www.eff.org/document/eff-512-study-comments">intimidating counter-notification</a> system is not a workable way to get around a takedown notice.</p>
<p>YouTube’s Content ID system works by having people upload their content into a database maintained by YouTube. New uploads are compared to what’s in the database and when the algorithm detects a match, copyright holders are informed. They can then make a claim, forcing it to be taken down, or they can simply opt to make money from ads put on the video.</p>
<p>And so it is that an automated filter matched part of ten hours of white noise to, in one case, two different <em>other </em>white noise videos owned by the same company and resulted in Tomczak getting copyright notices.</p>
<p>Copyright bots like Content ID are tools and, like any tool, can be easily abused. First of all, they can match content but can’t tell the difference between infringement and fair use. And, as what happened in this case, match similar-sounding general noise. These mistakes don’t make the bots great at protecting free speech.</p>
<p>Some lobbyists <a href="https://www.eff.org/deeplinks/2016/01/notice-and-stay-down-really-filter-everything">have advocated</a> for these kinds of bots to be required for platforms hosting third-party content. Beyond the threat to speech, this would be a huge and expensive hurdle for new platforms trying to get off the ground. And, as we can see from this example, it doesn’t work properly without a lot of oversight.</p>
<p><em>This article is part of the Takedown Hall of Shame, which collects the worst of the worst of bogus copyright and trademark complaints that have threatened all kinds of creative expression on the Internet.</em></p>
<p class="take-action"><a href="https://www.eff.org/takedowns">Back to Takedown Hall of Shame</a></p>
<p class="take-action"></p>
<p class="take-action"></p>
</div></div></div>Wed, 07 Mar 2018 21:30:49 +000098260 at https://www.eff.orgCreativity & InnovationDMCAKatharine TrendacostaOffline/Online Project Highlights How the Oppression Marginalized Communities Face in the Real World Follows Them Onlinehttps://www.eff.org/deeplinks/2018/03/offlineonline-project-highlights-how-oppression-marginalized-communities-face-real
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>People in marginalized communities who are targets of persecution and violence—from the <a href="https://www.hrw.org/tag/rohingya-crisis">Rohingya</a> in Burma to <a href="https://www.npr.org/sections/codeswitch/2016/11/22/502068751/the-standing-rock-resistance-is-unprecedented-it-s-also-centuries-old">Native Americans</a> in North Dakota—are using social media to tell their stories, but finding that their voices are being silenced online.</p>
<p>This is the tragic and unjust consequence of content moderation policies of companies like Facebook, which is deciding on a daily basis what can be and can’t be said and shown online. <a href="https://www.eff.org/deeplinks/2017/07/industry-efforts-censor-pro-terrorism-online-content-pose-risks-free-speech">Platform censorship</a> has ratcheted up in these times of political strife, ostensibly to combat hate speech and online harassment. Takedowns and closures of <a href="https://www.eff.org/deeplinks/2017/08/fighting-neo-nazis-future-free-expression">neo-Nazi</a> and white supremacist sites have been a matter of intense debate. Less visible is the effect content moderation is having on vulnerable communities.</p>
<p><a href="https://www.propublica.org/article/facebook-enforcement-hate-speech-rules-mistakes">Flawed rules</a> against hate speech have shut down online conversations about racism and harassment of people of color. Ambiguous “community standards” have prevented Black Lives Matter <a href="https://www.theguardian.com/technology/2016/sep/12/facebook-blocks-shaun-king-black-lives-matter">activists</a> from showing the world the racist messages they receive. Rules against depictions of violence have removed reports about the <a href="https://www.nytimes.com/2017/08/22/world/middleeast/syria-youtube-videos-isis.html">Syrian war</a> and <a href="https://www.thedailybeast.com/exclusive-rohingya-activists-say-facebook-silences-them">accounts of human rights abuses of Myanmar's Rohingya</a>. These voices, and the voices of aboriginal women in Australia, Dakota pipeline protestors and many others are being erased online. Their stories and images of mass arrests, military attacks, racism, and genocide are being flagged for takedown by Facebook. The powerless struggle to be heard in the first place; online censorship further marginalizes vulnerable communities. This is not OK.</p>
<p>In response, EFF and Visualizing Impact launched an awareness project today that highlights the online censorship of communities across the globe that are struggling or in crisis. Offline/Online is a <a href="https://www.onlinecensorship.org/content/infographics">series of visuals</a> demonstrating that the inequities and oppression these communities face in the physical world are being replicated online. The visuals can be downloaded and shared on Twitter, Facebook, and Snapchat, or printed out for distribution.</p>
<p>In one, the displacement of nearly 700,000 Rohingya Muslims from Myanmar because of state violence is represented in a photo showing Rohingya children trying to board a small boat. Rohingya refugees, many of whom are women and children, are arriving in Bangladesh with wounds from gunshot and fire, according to the <a href="https://www.unocha.org/rohingya-refugee-crisis">United Nations</a>.</p>
<p>And online? Facebook is an <a href="https://www.nytimes.com/2017/10/27/world/asia/myanmar-government-facebook-rohingya.html">essential means of communication in Myanmar</a>. Activists there and in the West have documented the violence against the Rohingya online, only to have their Facebook posts removed and accounts suspended.</p>
<p>Inequity offline, censorship online.</p>
<p>The EFF/Visualizing Impact project exposes this pattern among Palestinians, aboriginal women in Australia, Native Americans, Dakota pipeline protestors, and black Americans. We believe this is just the tip of the iceberg. We are already far down the slippery slope from judicious moderation of online content to outright censorship. With two billion Facebook users worldwide, there are likely more vulnerable communities being subject to online censorship.</p>
<p>Our hope is that activists, concerned citizens, and online communities will post and share Inequity Offline/Censorship Online visuals (found <a href="https://www.onlinecensorship.org/content/infographics">here</a>) many times, raising awareness about the impact of censorship on marginalized communities—a story that is underreported. Sharing the visuals is a step all of us can take to combat online censorship. It may help restore the speech and voices being erased online.</p>
</div></div></div>Tue, 06 Mar 2018 19:06:08 +000098245 at https://www.eff.orgFree SpeechSocial NetworksOffline : Imprisoned Bloggers and TechnologistsSurveillance and Human RightsAnonymityInternationalSecurity EducationJillian C. YorkKaren GulloGeek Squad's Relationship with FBI Is Cozier Than We Thoughthttps://www.eff.org/deeplinks/2018/03/geek-squads-relationship-fbi-cozier-we-thought
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><em>Update: A Best Buy spokesperson <a href="http://www.zdnet.com/article/new-documents-reveal-fbi-paid-geek-squad-repair-staff-as-informants/">confirmed to reporters</a> that at least four Geek Squad employees received payments from the FBI.</em></p>
<p>After the prosecution of a California doctor revealed the FBI’s ties to a <a href="https://www.washingtonpost.com/local/public-safety/if-a-best-buy-technician-is-a-paid-fbi-informant-are-his-computer-searches-legal/2017/01/09/f56028b4-d442-11e6-9cb0-54ab630851e8_story.html">Best Buy Geek Squad</a> computer repair facility in Kentucky, new documents released to EFF show that the relationship goes back years. The records also confirm that the FBI has paid Geek Squad employees as informants.</p>
<p>EFF filed a Freedom of Information Act <a href="https://www.eff.org/cases/fbi-geek-squad-informants-foia-suit">(FOIA) lawsuit</a> last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially <a href="https://www.eff.org/deeplinks/2017/02/FBI-tries-to-bypass-Fourth-Amendment-Safeguards-by-using-Geek-Squad">circumvents computer owners’ Fourth Amendment rights</a>.</p>
<p><em></em>The documents released to EFF show that Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years. For example, <a href="https://www.eff.org/document/geek-squad-foia-excerpt-fbi-meeting-repair-facility">an FBI memo</a> from September 2008 details how Best Buy hosted a meeting of the agency’s “Cyber Working Group” at the company’s Kentucky repair facility.</p>
<p>The memo and a related email show that Geek Squad employees also gave FBI officials a tour of the facility before their meeting and makes clear that the law enforcement agency’s Louisville Division “has maintained close liaison with the Geek Squad’s management in an effort to glean case initiations and to support the division’s Computer Intrusion and Cyber Crime programs.”</p>
<p>Another <a href="https://www.eff.org/document/geek-squad-foia-excerpt-fbi-payment-informant">document</a> records a $500 payment from the FBI to a confidential Geek Squad informant. This appears to be one of the same payments at issue in the <a href="https://www.ocweekly.com/best-buy-geek-squad-informant-use-has-fbi-on-defense-in-child-porn-case-7794252/">prosecution of Mark Rettenmaier</a>, the California doctor who was charged with possession of child pornography after Best Buy sent his computer to the Kentucky Geek Squad repair facility.</p>
<p>Other documents show that over the years of working with Geek Squad employees, FBI agents developed a process for investigating and prosecuting people who sent their devices to the Geek Squad for repairs. The documents detail a series of FBI investigations in which a Geek Squad employee would call the FBI’s Louisville field office after finding what they believed was child pornography.</p>
<p>The FBI agent would show up, review the images or video and determine whether they believe they are illegal content. After that, they would seize the hard drive or computer and send it to another FBI field office near where the owner of the device lived. Agents at that local FBI office would then investigate further, and <a href="https://www.eff.org/document/geek-squad-foia-excerpt-fbi-obtaining-warrant-case">in some cases</a> try to obtain a warrant to search the device. </p>
<p>Some of these reports indicate that the FBI treated Geek Squad employees as informants, identifying them as “CHS,” which is shorthand for confidential human sources. In other cases, the FBI identifies the initial calls as coming from Best Buy employees, raising questions as to whether certain employees had different relationships with the FBI.</p>
<p>In the case of the investigation into Rettenmaier’s computers, the documents released to EFF do not appear to have been made public in that prosecution. These raise additional questions about the level of cooperation between the company and law enforcement.</p>
<p>For example, <a href="https://www.eff.org/document/geek-squad-foia-excerpt-notes-rettenmaier-investigation">documents reflect</a> that Geek Squad employees only alert the FBI when they happen to find illegal materials during a manual search of images on a device and that the FBI does not direct those employees to actively find illegal content.</p>
<p>But some evidence in the case appears to show Geek Squad employees did make an affirmative effort to identify illegal material. For example, the image found on Rettenmaier’s hard drive was in an <a href="https://www.washingtonpost.com/local/public-safety/if-a-best-buy-technician-is-a-paid-fbi-informant-are-his-computer-searches-legal/2017/01/09/f56028b4-d442-11e6-9cb0-54ab630851e8_story.html">unallocated space</a>, which typically requires forensic software to find. Other evidence showed that Geek Squad employees were financially rewarded for finding child pornography. Such a bounty would likely encourage Geek Squad employees to actively sweep for suspicious content.</p>
<p>Although these documents provide new details about the FBI’s connection to Geek Squad and its Kentucky repair facility, the FBI has withheld a number of other documents in response to our FOIA suit. Worse, the FBI has <a href="https://www.eff.org/document/letter-second-production-fbi-geek-squad-foia">refused to confirm or deny </a>to EFF whether it has similar relationships with other computer repair facilities or businesses, despite our FOIA specifically requesting those records. The FBI has also failed to produce documents that would show whether the agency has any internal procedures or training materials that govern when agents seek to cultivate informants at computer repair facilities.</p>
<p>We plan to challenge the FBI’s stonewalling in court later this spring. In the meantime, you can read the documents produced so far <a href="https://www.eff.org/document/first-production-fbi-geek-squad-foia">here</a> and <a href="https://www.eff.org/document/third-production-fbi-geek-squad-foia">here</a>.</p>
</div></div></div><div class="field field--name-field-related-cases field--type-node-reference field--label-above"><div class="field__label">Related Cases:&nbsp;</div><div class="field__items"><div class="field__item even"><a href="/cases/fbi-geek-squad-informants-foia-suit">FBI Geek Squad Informants FOIA Suit</a></div></div></div>Tue, 06 Mar 2018 18:59:12 +000098252 at https://www.eff.orgTransparencySecurity EducationAaron MackeyNamecheap Relaunches Move Your Domain Day to Support Internet Freedomhttps://www.eff.org/deeplinks/2018/03/namecheap-relaunches-move-your-domain-day-support-internet-freedom
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Domain name registrar <a href="https://www.namecheap.com/promotions/move-your-domain-day/">Namecheap has relaunched Move Your Domain Day</a>, encouraging customers to raise money for online freedom with every domain move. Namecheap will donate up to $1.50 per domain transfer to the Electronic Frontier Foundation when customers switch to their service on March 6.</p>
<p>With this year’s promotion Namecheap hopes to draw attention and much-needed funding to EFF’s work fighting for Internet freedom. It's especially urgent since the Federal Communications Commission’s disappointing move to abandon landmark <a href="https://www.eff.org/deeplinks/2017/11/lump-coal-internets-stocking-fcc-poised-gut-net-neutrality-rules">net neutrality and broadband privacy protections</a>. Despite this setback, EFF is committed to defending the open web we love. If you’re in the U.S., visit our action center and <a href="https://act.eff.org/action/save-the-open-internet-order">tell your representatives to restore net neutrality</a>. Not sure where your lawmakers stand on the issue? You can use EFF’s handy tool to <a href="https://checkyourreps.org/">check your reps</a>.</p>
<p>The <a href="https://www.eff.org/deeplinks/2011/12/moveyourdomain-protest-internet-blacklist-bills">original Move Your Domain Day</a> came into being in 2011 when popular domain name registrar GoDaddy spoke out in support of the hugely unpopular <a href="https://www.eff.org/issues/coica-internet-censorship-and-copyright-bill">Internet blacklist bills SOPA and PIPA</a>. The ensuing backlash from Internet users led to a call for customers to leave GoDaddy in favor of companies better-aligned with their online freedom goals. As a result, the first Move Your Domain Day raised over $64,000 for EFF’s work on this and other issues. The response reflected the overwhelming public sentiment that eventually toppled SOPA/PIPA and proved Internet users are powerful when they work together.</p>
<p>We are grateful to Namecheap for including us in this year’s campaign and for standing on EFF’s side in <a href="https://www.eff.org/deeplinks/2013/03/week-action-opposing-cispa">numerous</a> <a href="https://www.eff.org/deeplinks/2015/02/eff-supports-comprehensive-reform-california-electronic-privacy-law">online</a> <a href="https://www.eff.org/deeplinks/2014/03/tech-companies-urge-senator-wyden-reject-fast-track-and-bring-transparency-tpp">rights</a> <a href="https://www.eff.org/deeplinks/2013/06/campaign-end-nsa-warrantless-surveillance-surges-past-500000-signers">battles</a> over the years. We’re also grateful to EFF’s 44,000 members around the world for ensuring that Internet users have an advocate.</p>
<p>More information on Move Your Domain Day: <a href="https://www.namecheap.com/promotions/move-your-domain-day/">https://www.namecheap.com/promotions/move-your-domain-day</a></p>
</div></div></div>Tue, 06 Mar 2018 18:42:13 +000098244 at https://www.eff.orgAnnouncementSOPA/PIPA: Internet Blacklist LegislationNet NeutralityAaron JueBlunt Measures on Speech Serve No One: The Story of the San Diego City Beathttps://www.eff.org/deeplinks/2018/03/blunt-measures-speech-serve-no-one-story-san-diego-city-beat
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>It’s no secret: Social media has changed the way that we access news. According to the </span><a href="http://www.journalism.org/2017/09/07/news-use-across-social-media-platforms-2017/"><span>Pew Research Center</span></a><span>, two-thirds of Americans report getting at least some of their news on social media. Another study suggests that </span><a href="https://theconversation.com/social-media-is-changing-our-digital-news-habits-but-to-varying-degrees-in-us-and-uk-60900"><span>globally</span></a><span>, for those under 45, online news is now as important as television news. But thanks to platforms’ </span><a href="https://www.recode.net/2018/1/11/16881160/facebook-mark-zuckerberg-news-feed-algorithm-content-video-friends-family-media-publishers"><span>ever-changing algorithms,</span></a><span> content policies, and </span><a href="https://www.eff.org/deeplinks/2017/12/seven-times-2017-journalists-were-censored"><span>moderation practices</span></a><span>, news outlets face significant barriers to reaching online readers. <br /></span></p>
<p><a href="http://sdcitybeat.com/"><span>San Diego CityBeat's recent experience </span></a><span>offers a sad case in point. CityBeat is an alt-weekly focusing on news, music, and culture. Founded in 2002, the publication has a print circulation of 44,000 and is best known for its independence and no-holds barred treatment of public officials and demo tapes. The site is also known for its quirky—and, it turns out, controversial—headlines.</span></p>
<p><span>It was one of those headlines that caused CityBeat to run afoul of Facebook’s censors. In late November, the platform removed links posted by CityBeat on their own page to a piece by popular columnist Alex Zaragoza. Her piece, entitled “</span><a href="http://sdcitybeat.com/culture/there-she-goz/dear-dudes-you%E2%80%99re-all-trash/"><span>Dear dudes, you’re all trash,</span></a><span>” critiqued men for their complacency and surprise in the light of several high-profile sexual assault and harassment scandals. Zaragoza's similar post on her own timeline was </span><a href="https://twitter.com/there_she_goz/status/938152509205389312"><span>also removed</span></a><span>.</span></p>
<p><span>Ryan Bradford, the web editor of CityBeat, said that Facebook notified him about the post on a weekend. “It didn’t really occur to me how serious it was” at first, he says. “We’d been flagged for content before, [such as] artistic images that contain nudity.”</span></p>
<p><span>He had posted the link to CityBeat’s Facebook page a few days prior, even including the article’s sub-hed—“Even the “good ones” are safe in their obliviousness and complacency.” The message he received from Facebook pointed him to the </span><a href="https://www.facebook.com/communitystandards"><span>Community Standards</span></a><span>, but—as was the case with Egyptian journalist </span><a href="https://www.eff.org/the-story-of-wael-abbas"><span>Wael Abbas</span></a><span>—did not explicitly state which rule the content had violated. Users frequently complain that Facebook provides scant explanation for its removals. <br /></span></p>
<p><span>Bradford thought of appealing but, he told us, “Sending a complaint seemed futile. It feels like you’re sending it out into the ocean.” And in this case, appealing wouldn't have been an option, as Facebook only allows users to appeal account deactivations, not removals of individual items.</span></p>
<p><span>By not notifying users about how their content has violated the rules, the company is setting up users for failure. Users must </span><span>receive clear information about the rules they've violated and how they can appeal content decisions.</span><span> </span></p>
<p><span>As </span><a href="https://www.eff.org/deeplinks/2018/01/private-censorship-not-best-way-fight-hate-or-defend-democracy-here-are-some"><span>we’ve said previously</span></a><span>, private censorship isn’t the best way to fight hate or defend democracy. Corporations are often in a tough position when it comes to dealing with hate speech and other content, but</span> blunt measures that classify a nuanced article in a reputable publication about sexual assault as verboten due to harsh language serve no one. Although <span>corporations have the right to make their own decisions about what types of content users can post, they should seek to maximize freedom of expression. CEO Mark Zuckerberg <a href="https://www.fastcompany.com/40397297/mark-zuckerberg-on-fake-news-free-speech-and-what-drives-facebook">claims</a> that the company stands for freedom of speech, but the decision to ban Zaragoza's piece says otherwise. </span></p>
<p><span></span><span>Or, as Bradford puts it: “To start censoring innocuous stuff that ultimately sends a positive message is a detriment to the online community.”</span></p>
<p><span></span><i><span>You can read more about our position on private censorship </span></i><a href="https://www.eff.org/deeplinks/2018/01/private-censorship-not-best-way-fight-hate-or-defend-democracy-here-are-some"><i><span>here</span></i></a><i><span>, and learn more about the issue at </span></i><a href="https://onlinecensorship.org/"><i><span>Onlinecensorship.org</span></i></a><i><span>.</span></i></p>
</div></div></div>Mon, 05 Mar 2018 19:40:10 +000098216 at https://www.eff.orgFree SpeechJillian C. YorkWork with EFF This Summer! Apply to be a Google Public Policy Fellowhttps://www.eff.org/deeplinks/2018/03/work-eff-summer-apply-be-google-public-policy-fellow
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>If you’re a student who is passionate about emerging Internet and technology policy issues, come work with EFF this summer as a <a href="https://www.google.com/policyfellowship/">Google Public Policy Fellow</a>! This is a <a href="https://www.google.com/policyfellowship/application.html">paid opportunity</a> for students currently enrolled in higher education institutions to work alongside EFF’s international team on projects advancing debate on key public policy issues.</p>
<p>EFF is looking for someone who shares our passion for the free and open Internet. You'll have the opportunity to work on a variety of issues, including <a href="https://onlinecensorship.org/">censorship</a> and global surveillance. Applicants must have strong research and writing skills, the ability to produce thoughtful original policy analysis, a talent for communicating with many different types of audiences, and be independently driven. More specific information can be found <a href="https://www.google.com/policyfellowship/">here</a>.</p>
<ul><li>Program timeline is June 5, 2018 - August 11, 2018, with regular programming throughout the summer. If selected, you can work with EFF to adjust start and completion dates.</li>
<li>The application period opens Friday, March 2, 2018 and all applications must be received by 12:00AM midnight ET, Tuesday, March 20, 2018.</li>
<li>The accepted applicant will receive a stipend of USD $7,500 in 2018 for their 10-week long Fellowship.</li>
</ul><p>To apply with the Electronic Frontier Foundation, follow this <a href="https://docs.google.com/forms/d/e/1FAIpQLScI8qr7RZf5pLIA-1Mcw8m2sV-McUgt7WY51nBMjPsKgTt7ew/viewform">link</a>.</p>
<p><em>Note: This internship is associated with EFF's international team and is separate from EFF's summer <a href="https://www.eff.org/about/opportunities/interns">legal internship program</a>.</em></p>
</div></div></div>Fri, 02 Mar 2018 23:12:55 +000098225 at https://www.eff.orgAnnouncementKimberly CarlsonFair Use Protects So Much More Than Many Realizehttps://www.eff.org/deeplinks/2018/03/fair-use-protects-so-much-more-many-realize
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>With copyright being abused to shut down <a href="https://www.eff.org/wp/unintended-consequences-under-dmca/archive">innovation</a> and <a href="https://www.eff.org/deeplinks/2017/01/copyright-shouldnt-be-tool-censorship">speech</a>, and copyright terms <a href="https://www.eff.org/deeplinks/2018/01/how-big-content-would-enforce-copyright-globally">lasting for generations</a>, fair use is more important than ever. Without fair use, we’d see less creativity. We’d see less news reporting and commentary. And we’d see far less innovation.</p>
<p>Fair use allows people to use copyrighted materials for certain purposes without payment or permission. If something is fair use, it is not infringing on a copyright.</p>
<p>A video remix or a story that critiques culture by incorporating famous characters and giving them new meaning or context is an example of fair use in action. Culture grows because creators are constantly reworking what’s in it. If Superman is portrayed <a href="https://genius.com/1823827">as someone other than a white man</a>, that is clearly a commentary on the symbol of “truth, justice, and the American way.”</p>
<p>Commentary also relies on fair use. Criticism is made stronger when the material being interrogated can be included in the critique. It is difficult to show why someone was wrong or add context to someone else’s report without including at least part of it. We <a href="https://www.eff.org/deeplinks/2018/02/second-circuit-gouges-tveyes-terrible-fair-use-ruling">recently wrote about</a> the Second Circuit’s decision that part of the service offered by TVEyes, a subscription company that provides searchable transcripts and video archives of television and radio, was not fair use. In particular, the court seemed to say that what makes TVEyes so objectionable was that it made material available without Fox News’ permission. One of the reasons fair use is so important to the First Amendment is <em>because</em> it doesn’t require permission. Who would let researchers, academics, and journalists get access to their material for the purpose of saying if and how they’re wrong?</p>
<p>The ways fair use improves our creative culture and our commentary are apparent every time we see fan art on the Internet or watch news commentary. The ways fair use protects innovation can be more subtle.</p>
<p>Copyright also covers software, which is working its way into every part of our life. We’re entering a world where your lights, toothbrush, coffeemaker, and television are all connected to the Internet. And <a href="https://gizmodo.com/the-house-that-spied-on-me-1822429852">transmitting all sorts of information all the time</a>. But if you want to ask an expert how to change that, you’re probably going to need fair use.</p>
<p>Much of the problem lies with Section 1201 of the <a href="https://www.eff.org/issues/dmca">Digital Millennium Copyright Act</a>, which bans breaking restrictions on copyrighted works. That means, for example, that if someone wants to develop an app that better secures your phone but doing so means breaking the digital lock the manufacturer put there, then that inventor faces trouble. Or, say you want to pay a mechanic to fix your car, but that requires them to break the encryption on the computer in it, then Section 1201 would prevent you from getting that help.</p>
<p>Section 1201 can prevent access to things that fair use allows people to use. For example, you may want to make fair use of a clip from a DVD but be banned from breaking a lock to rip the clip. And because of the impact that could have on fair use, there is a <a href="https://www.eff.org/issues/dmca-rulemaking">process for securing an exemption</a> to it. The exemption process occurs every three years, and we’ll get a new set of exemption in 2018.</p>
<p>Because fair use is important for creativity, commentary, and innovation, and because the ban on circumvention makes that so much harder, convincing the Copyright Office to issue common-sense exemptions is necessary. In 2018, EFF is asking for exemptions for:</p>
<ul><li><a href="https://www.eff.org/document/dmca-1201-new-petition-re-tinkering">Repair, diagnosis, and tinkering</a> with any software-enabled device, including “Internet of Things” devices, appliances, computers, peripherals, toys, vehicle, and environmental automation systems;</li>
<li><a href="https://www.eff.org/document/dmca-1201-new-petition-re-jailbreaking">Jailbreaking</a> personal computing devices, including smartphones, tablets, smartwatches, and personal assistant devices like the Amazon Echo and the forthcoming Apple HomePod;</li>
<li>Using <a href="https://www.eff.org/document/dmca-1201-new-petition-re-video">excerpts</a> from video discs or streaming video for criticism or commentary, without the narrow limitations on users (noncommercial vidders, documentary filmmakers, certain students) that the Copyright Office now imposes;</li>
<li><a href="https://www.eff.org/document/dmca-1201-new-petition-re-security-research">Security research</a> on software of all kinds, which can be found in consumer electronics, medical devices, vehicles, and more;</li>
<li>Lawful uses of <a href="https://www.eff.org/document/dmca-1201-petition-re-hdcp">video encrypted using High-bandwidth Digital Content Protection</a> (HDCP, which is applied to content sent over the HDMI cables used by home video equipment).</li>
</ul><p>It would be even better if hoops like this didn’t exist for fair use to jump through, but while they do, it’s important to keep showing how important it is.</p>
<p><em>This week is <a href="http://fairuseweek.org/">Fair Use/Fair Dealing Week</a>, an annual celebration of the important doctrines of fair use and fair dealing. It is designed to highlight and promote the opportunities presented by fair use and fair dealing, celebrate successful stories, and explain these doctrines.</em></p>
</div></div></div>Fri, 02 Mar 2018 21:51:57 +000098224 at https://www.eff.orgCreativity & InnovationFair UseKatharine TrendacostaThe Post-TPP Future of Digital Trade in Asiahttps://www.eff.org/deeplinks/2018/02/rcep-negotiations-face-obstacles-member-nations-unwilling-commit
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p class="p1"><span class="s1">On March 8, trade representatives from eleven Pacific rim countries including Canada, Mexico, Japan, and Australia are expected to ratify the Trans-Pacific Partnership, now known as the <a href="https://www.mfat.govt.nz/assets/CPTPP/Comprehensive-and-Progressive-Agreement-for-Trans-Pacific-Partnership-CPTPP-English.pdf"><span class="s2">Comprehensive and Progressive Agreement for Trans-Pacific Partnership</span></a> (CPTPP). The agreement has been slimmed down both in its content—22 items in the text have been suspended, including the bulk of the intellectual property chapter—and also in its membership, with the exclusion of the United States which had been the driver of those suspended provisions. </span></p>
<p class="p1"><span class="s1">What remains in the CPTPP is the agreement's Electronic Commerce (also called digital trade) chapter, which will set new, flawed rules for the region on topics such as the free flow of electronic data, access to software source code, and even rules applicable to domain name privacy and dispute resolution. But it's not the only Asian trade agreement seeking to set such rules. There's another lesser-known but equally important agreement under negotiation by sixteen countries, called the Regional Comprehensive Economic Partnership Agreement (RCEP).</span></p>
<p class="p1"><span class="s1">Like CPTPP, RCEP would cover issues that are critical to the digital economy such as custom duties on electronic products, supply of cross-border services, paperless trading, telecommunications, intellectual property, source code disclosure, privacy and cross-border data flows. But unlike CPTPP, RCEP includes the giants of China and India, meaning that the agreement would<a href="http://www.thejakartapost.com/news/2018/02/07/indonesia-strives-for-conclusion-of-rcep-talks.html"><span class="s3"> represent</span></a> a massive 28.5 percent of global trade. While India's commitment to the deal has become somewhat equivocal, RCEP holds an important place in China's ambitions to consolidate its leadership role in the region.</span></p>
<h3 class="p2"><span class="s1"><b>India Not Ready to Compromise </b></span></h3>
<p class="p1"><span class="s1">The RCEP negotiating parties met last month in Indonesia between February 2 and 9, and although continuing secrecy in the negotiation process makes it difficult to accurately assess progress, a series of missed deadlines point to growing uncertainty about the conclusion of the talks.</span></p>
<p class="p1"><span class="s1">One of the sticking points is that countries such as India are pushing for a strong services pact which would facilitate the free movement of professionals, whereas China, South Korea, Japan, Australia and New Zealand remain reluctant to commit. On the other hand the Indian government is<a href="https://www.thehindubusinessline.com/economy/policy/asean-pushes-india-to-conclude-rcep-this-year/article10046655.ece"><span class="s3"> being cautious</span></a> about opening up its markets and has incentives to draw out negotiations with elections scheduled next year. India's position on intellectual property is <a href="https://thediplomat.com/2017/08/india-rcep-and-the-wipo-internet-treaties-time-for-a-rethink/"><span class="s3">also different</span></a> from other negotiating countries such as Japan and Korea, which are pushing for a harder, TPP-like line. </span></p>
<p class="p1"><span class="s1">As pressure to conclude the deal has intensified,<a href="http://www.livemint.com/Politics/c8gAjezLNvELKpIUxAqC3L/India-needs-to-be-extra-cautious-in-RCEP-trade-talks-Arvind.html"><span class="s3"> calls for India to exit or block an speedy conclusion</span></a> of the agreement have also grown louder. At the Indo-ASEAN meeting in New Delhi, Indonesian Trade Minister<a href="https://www.thehindubusinessline.com/economy/policy/asean-pushes-india-to-conclude-rcep-this-year/article10046655.ece"><span class="s3"> reiterated that</span></a> the ASEAN bloc expected India not to block attempts to conclude the RCEP this year. Mounting expectations may lead India to withdraw from the talks, a move that would impact the strategic and economic value of the agreement. </span></p>
<h3 class="p2"><span class="s1"><b>Can Digital Trade Improve Internet Freedom in China? </b></span></h3>
<p class="p1"><span class="s1">With India's continuing participation in doubt, Beijing has thrown its weight behind the agreement. Chinese Foreign Ministry spokesperson Hua Chunying recently underscored<a href="https://gbtimes.com/china-reiterates-support-for-rcep-trade-talks"><span class="s3"> that</span></a> Beijing attaches great importance to the RCEP talks and plans to ensure ratification of the agreement by year end. Following the US withdrawal from the TPP, China sees an early conclusion of the RCEP as critical for creating confidence in and promoting its regional and global trade leadership, especially given its absence from the CPTPP.</span></p>
<p class="p1"><span class="s1">Addressing the lack of progress on RCEP has gained urgency as China's trade war with the US has<a href="https://www.cato.org/blog/invisible-trade-war-no-longer"><span class="s3"> intensified</span></a>. US is contemplating<a href="https://www.congress.gov/bill/115th-congress/house-bill/4747/text"><span class="s3"> legislation</span></a> that would forbid U.S. government agencies from purchasing ICT equipment produced by Chinese ICT companies, or their subsidiaries and affiliates. If the law is passed government agencies would be<a href="https://conaway.house.gov/news/documentsingle.aspx?DocumentID=398326"><span class="s3"> restricted</span></a> from doing business with any entity that uses equipment produced by those companies.</span></p>
<p class="p1"><span class="s1">Last week, concerns about China <a href="https://www.techradar.com/news/china-will-block-all-non-approved-vpns-from-next-month"><span class="s3">banning the use </span></a>of Virtual Private Networks (VPNs) as part of its proposed regulation for telecommunications networks prompted the US to demand an intervention from the World Trade Organization (WTO). What makes this development interesting is that it is the first time that a trade resolution has been sought to address, even incidentally, a serious human rights issue for Chinese Internet users. It is also interesting that the remedy sought is under the existing WTO rules, which at least raises questions about the added value of the new generation of digital trade agreements such as CPTPP and RCEP.</span></p>
<p class="p1"><span class="s1">As countries head into the next round of RCEP negotiations the challenge before negotiators is reaching an speedy conclusion versus ensuring a balanced agreement. It's going to be difficult to achieve that balance with the current level of secrecy and lack of consultation surrounding the agreement. Just as the same flaws in the negotiation process for the CPTPP have resulted in an agreement that fails to address users' needs or to preserve their digital rights, RCEP is unlikely to have anything more to offer for Internet users and innovators.</span></p>
</div></div></div>Fri, 02 Mar 2018 18:12:42 +000098197 at https://www.eff.orgCommentaryTrans-Pacific Partnership AgreementTrade Agreements and Digital RightsJyoti PandayPlayboy Drops Misguided Copyright Case Against Boing Boinghttps://www.eff.org/deeplinks/2018/02/playboy-drops-misguided-copyright-case-against-boing-boing
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>In a victory for journalism and fair use, Playboy Entertainment has given up on its <a href="https://www.eff.org/press/releases/eff-court-linking-not-copyright-infringement">lawsuit</a> against Happy Mutants, LLC, the company behind <a href="https://boingboing.net/">Boing Boing</a>. Earlier this month, a federal court <a href="https://www.eff.org/deeplinks/2018/02/court-dismisses-playboys-lawsuit-against-boing-boing-now">dismissed Playboy’s claims</a> but gave Playboy permission to try again with a new complaint, if it could dig up some new facts. The deadline for filing that new complaint passed this week, and today Playboy released a <a href="https://twitter.com/cfarivar/status/968895446771892225">statement</a> suggesting that it is standing down. That means both Boing Boing and Playboy can go back to doing what they do best: producing and reporting on culture and technology.</p>
<p>This case began when Playboy <a href="https://www.eff.org/press/releases/eff-court-linking-not-copyright-infringement">filed suit</a> accusing Boing Boing of copyright infringement for reporting on a historical collection of Playboy centerfolds and linking to a third-party site. The <a href="https://boingboing.net/2016/02/29/every-playboy-playmate-centerf.html">post in question</a>, from February 2016, reported that someone had uploaded scans of the photos, and noted they were “an amazing collection” reflecting changing standards of what is considered sexy. The post contained links to an imgur.com page and YouTube video—neither of which were created by Boing Boing.</p>
<p>Together with law firm <a href="https://durietangri.com/">Durie Tangri</a>, EFF filed a motion to dismiss [<a href="https://www.eff.org/files/2018/02/05/motion_to_dismiss_-_playboy_v_happy_mutants.pdf">PDF</a>]. We explained that Boing Boing did not contribute to the infringement of any Playboy copyrights by including a link to illustrate its commentary. The judge agreed, <a href="https://www.eff.org/deeplinks/2018/02/court-dismisses-playboys-lawsuit-against-boing-boing-now">dismissing</a> the lawsuit and writing that he was “skeptical that plaintiff has sufficiently alleged facts to support either its inducement or material contribution theories of copyright infringement.”</p>
<p>It’s hard to understand why Playboy brought this case in the first place, turning its legal firepower on a small news and commentary website that hadn’t uploaded or hosted any infringing content. We’re also a little perplexed as to why Playboy <a href="https://twitter.com/cfarivar/status/968895446771892225">seems so unhappy</a> that the <a href="https://boingboing.net/2016/02/29/every-playboy-playmate-centerf.html">Boing Boing post</a> is still up when the links they complain about have been dead for almost two years. In any event, this suit now appears to be over and the Boing Boing team can focus on doing what they love: sharing news, commentary, and awesome things with the world.</p>
</div></div></div><div class="field field--name-field-related-cases field--type-node-reference field--label-above"><div class="field__label">Related Cases:&nbsp;</div><div class="field__items"><div class="field__item even"><a href="/cases/playboy-entertainment-group-v-happy-mutants">Playboy Entertainment Group v. Happy Mutants</a></div></div></div>Wed, 28 Feb 2018 23:09:44 +000098213 at https://www.eff.orgFair UseFree SpeechBloggers' RightsDaniel NazerStupid Patent of the Month: Buying A Bundle of Diamondshttps://www.eff.org/deeplinks/2018/02/stupid-patent-month-buying-bundle-diamonds
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><strong></strong>This month’s Stupid Patent shows what happens when the patent system strays outside its proper boundaries. US Patent No. <a href="https://patents.google.com/patent/US8706513B2">8,706,513</a> describes a “fungible basket of investment grade gems” for use in “financial instruments.” In other words, it’s a rating and trading system that attempts to turn diamonds into a tradeable commodity like oil, gold, or corn.</p>
<p>Of course, creating new types of investment vehicles isn’t really an invention. And patents on newfangled financial techniques like this were generally barred following <a href="https://www.eff.org/cases/re-bilski">Bilski v. Kappos</a>, a 2008 Supreme Court case that prevents the patenting of purely financial instruments. Since then, the law has become even less favorable to abstract business method patents like this one. In our view, the ’513 patent would not survive a challenge under <em>Bilski </em>or the Supreme Court’s 2014 decision in <em><a href="https://www.eff.org/alice">Alice v. CLS Bank</a></em>.</p>
<p>Despite its clear problems, the ’513 patent is being asserted in court—and one of the people best placed to testify against the patent may not be allowed to.</p>
<p>The public’s right to challenge a patent in court is a critical part of the US patent system, that has always balanced the exclusive power of a patent. It’s especially important since patents are often granted by overworked examiners who get <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=261400">an average of 18 hours</a> to review applications. </p>
<p>But there are two types of persons that, increasingly, aren't allowed to challenge problematic patents: inventors of patents, and even partial owners of patents. Under a doctrine known as “assignor estoppel,” the Federal Circuit has barred inventors from challenging patents that they acquired for a former employer. Assignor estoppel was originally meant to cover a narrow set of circumstances—inventors who engaged in fraud or bad dealing, for instance—but the nation’s top patent court now routinely applies it to prevent inventors from challenging patents.</p>
<p>Patent scholar Mark Lemley flagged this problem in a <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2755785">2016 paper</a>, noting assignor estoppel could be used to control the free movement of employees or quash a legitimate competitor. “Inventors as a class are put under burdens that we apply to no other employee,” he wrote. “If they start a company, or even go to work for an existing company in the same field, they will not be able to defend a patent suit from their old employer.”</p>
<p>In this case, the Federal Circuit’s expansive view of assignor estoppel may prevent a person who owned just a fraction of a patent from fighting back when that patent gets used in an attempt to quash a competing business.</p>
<p>Despite the fact that this gemological trading system should never have been granted a patent, so far, it’s being successfully used by its owner to beat up on a competitor—and the competitor could be barred from even challenging the patent by assignor estoppel.</p>
<h3>Competing Diamond Companies</h3>
<p>GemShares was created in 2008 to market “diamond investment products.” The original partners were joined in business by a man named Arthur Lipton, who bought 20% of GemShares in 2013. He struck a deal not to compete with GemShares.</p>
<p>GemShares says [<a href="/files/2018/02/27/gemshares.complaint.pdf">PDF</a>] Lipton broke that deal in 2014, when he started working on his own project, a “secure diamond smart card,” and filed for patents related to it. But in addition to breach of contract, GemShares sued for patent infringement. They said Lipton’s new business violated the ’513 patent.</p>
<p>The litigation also involves breach of contract claims, and allegations of fraud from Lipton’s former partner. Without getting into the weeds on all that, the defendant in this case may not even be allowed to argue that the “gem financial product” patent is invalid. Earlier this month, the judge overseeing the case issued an order [<a href="/files/2018/02/27/gemshares.order_.pdf">PDF</a>] noting that “the Federal Circuit has upheld the doctrine of assignor estoppel, which precludes an inventor-assignor of a patent sued for infringement from arguing the patent's invalidity.”</p>
<p>The Federal Circuit has made assignor estoppel so powerful, in fact, that Lipton’s 20% ownership contract with GemShares may be enough to stop him and his lawyers from mounting an invalidity defense.</p>
<p>It’s bad policy to stop the public from challenging bad patents, and assignor estoppel should only be used in narrow cases, like outright fraud. As it’s been applied by the Federal Circuit, it’s destined to be used in exactly the way that Lemley warned it would—as an anticompetitive cudgel.</p>
<p>We agree with the brief signed by Lemley and more than two dozen other law professors [<a href="https://www.supremecourt.gov/DocketPDF/17/17-804/26677/20180103161029242_EVE-USA%20Law%20Profs%20PK%20Amicus%20FINAL.pdf">PDF</a>] in <em><a href="http://www.scotusblog.com/case-files/cases/eve-usa-inc-v-mentor-graphics-corp/">EVE-USA, Inc. v. Mentor Graphics Corp.</a></em>, arguing that the Supreme Court should take up this issue and keep assignor estoppel within the narrow limits it originally intended.</p>
</div></div></div>Wed, 28 Feb 2018 19:01:35 +000098204 at https://www.eff.orgStupid Patent of the MonthJoe MullinState Lawmakers Want to Block Pornography at the Expense of Your Free Speech, Privacy, and Hard-Earned Cashhttps://www.eff.org/deeplinks/2018/02/state-lawmakers-want-block-pornography-expense-your-free-speech-privacy-and-hard
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>More than 15 state legislatures are considering the “</span><a href="http://humantraffickingpreventionact.com/"><span>Human Trafficking Prevention Act</span></a><span>” (HTPA). But don’t let the name fool you: this bill would do nothing to address human trafficking. Instead, it would only threaten your free speech and privacy in a misguided attempt to block and tax </span><span>online pornography.</span></p>
<p><span>EFF opposed versions of this bill in over a dozen states </span><a href="https://www.eff.org/deeplinks/2017/04/states-introduce-dubious-legislation-ransom-internet"><span>last year</span></a><span>, and the bill failed in all</span> <span>of them. Now HTPA is back, and we have </span><a href="https://www.eff.org/files/2018/02/28/htpa_letter.pdf">written in opposition</a><span> against the bill again to urge lawmakers to oppose it this year.<br /></span></p>
<p><span>The gist of the model legislation is this: Device manufacturers would be forced to install "obscenity filters" on cell phones, tablets, computers, and any other Internet-connected devices. Those filters could only be removed if consumers pay a $20 fee. In addition to violating the First Amendment and burdening consumers and businesses, this would allow the government to intrude into consumers’ private lives and restrict their control over their own devices.</span></p>
<p><span>On top of that, the story of this bill’s provenance is bizarre and </span><a href="https://www.thedailybeast.com/porn-filter-campaigner-has-been-convicted-of-harassment-and-assault"><span>highly recommended reading for any lawmakers</span></a><span> considering it. In short, the HTPA is part of a multi-state effort coordinated by the same person behind a bill to </span><a href="https://www.charlestoncitypaper.com/TheBattery/archives/2018/02/19/sc-house-introduces-parody-marriage-bill-written-by-man-who-wanted-to-marry-his-computer"><span>delegitimize same-sex marriages</span></a><span> as “parody marriages.” In this post, however, we’ll be focusing on the policy itself.</span></p>
<p><a href="https://www.eff.org/files/2018/02/28/htpa_letter.pdf"><i>Read EFF's opposition letter against HB 2422, Missouri's iteration of the Human Trafficking Prevention Act.</i></a><b><i><br /></i></b></p>
<p><span>HTPA—also sometimes named the Human Trafficking and Child Exploitation Prevention Act—has been introduced in the following states: Hawaii (</span><a href="https://www.capitol.hawaii.gov/session2018/bills/SB2838_.HTM"><span>Version 1</span></a><span>, </span><a href="https://www.capitol.hawaii.gov/session2018/bills/SB2478_.HTM"><span>2</span></a><span>), </span><a href="http://www.ilga.gov/legislation/100/HB/10000HB5039.htm"><span>Illinois</span></a><span>, </span><a href="http://iga.in.gov/static-documents/9/c/7/2/9c723526/SB0394.01.INTR.pdf"><span>Indiana</span></a><span>, </span><a href="https://www.legis.iowa.gov/docs/publications/lgi/87/attachments/hsb523.html"><span>Iowa</span></a><span>, </span><a href="http://kslegislature.org/li/b2017_18/measures/documents/sb363_00_0000.pdf"><span>Kansas</span></a><span>, </span><a href="http://mgaleg.maryland.gov/2018RS/bills/sb/sb0585f.pdf"><span>Maryland</span></a><span>, </span><a href="http://billstatus.ls.state.ms.us/documents/2018/html/SB/2300-2399/SB2315IN.htm"><span>Mississippi</span></a><span>, </span><a href="https://house.mo.gov/billtracking/bills181/hlrbillspdf/6320H.01I.pdf"><span>Missouri</span></a><span>, </span><a href="https://www.nmlegis.gov/Sessions/18%20Regular/bills/senate/SB0089.pdf"><span>New Mexico</span></a><span>, New Jersey (</span><a href="http://www.njleg.state.nj.us/2018/Bills/A1000/878_I1.HTM"><span>Assembly</span></a><span>, </span><a href="http://www.njleg.state.nj.us/2018/Bills/S1000/540_I1.HTM"><span>Senate</span></a><span>), </span><a href="http://assembly.state.ny.us/leg/?default_fld=&amp;bn=A09011&amp;term=2017&amp;Summary=Y&amp;Actions=Y&amp;Text=Y&amp;Committee%26nbspVotes=Y&amp;Floor%26nbspVotes=Y#A09011"><span>New York</span></a><span>, </span><a href="http://webserver.rilin.state.ri.us/BillText18/SenateText18/S2028.pdf"><span>Rhode Island</span></a><span>, </span><a href="http://www.scstatehouse.gov/sess122_2017-2018/prever/3003_20161215.htm"><span>South Carolina</span></a><span>, Tennessee (</span><a href="http://www.capitol.tn.gov/Bills/110/Bill/HB2685.pdf"><span>House</span></a><span>, </span><a href="http://www.capitol.tn.gov/Bills/110/Bill/SB2280.pdf"><span>Senate</span></a><span>), </span><a href="http://lis.virginia.gov/cgi-bin/legp604.exe?181+ful+HB1592+hil"><span>Virginia</span></a><span>, West Virginia (</span><a href="http://www.wvlegislature.gov/Bill_Status/bills_text.cfm?billdoc=SB460%20INTR.htm&amp;yr=2018&amp;sesstype=RS&amp;i=460"><span>Senate</span></a><span>, </span><a href="http://www.wvlegislature.gov/Bill_Status/bills_text.cfm?billdoc=hb4584%20intr.htm&amp;yr=2018&amp;sesstype=RS&amp;i=4584"><span>House</span></a><span>), and </span><a href="http://legisweb.state.wy.us/2018/Introduced/HB0127.pdf"><span>Wyoming</span></a><span>. </span></p>
<p><span>While some versions of the legislation vary, each hits the following points.</span></p>
<h3><b>Pre-Installed Filters</b></h3>
<p><span>Manufacturers of Internet-enabled devices would be required to pre-install filters to block webpages and applications that contain sexual content. Although different versions of the bill specify this content differently, the end result is the same: an unconstitutional restriction on the lawful speech people can access and engage with on the Internet. </span></p>
<h3><b>A Censorship Tax</b></h3>
<p><span>After overriding consumer choice and forcing people to purchase filtering software they don’t necessarily want, the bill would require users to pay a $20 fee </span><i><span>per device </span></i><span>to remove the filters and to exercise their First Amendment rights to look at legal content. Between smartphones, tablets, desktop computers, TVs, gaming consoles, routers, and other Internet-enabled devices, consumers could end up paying a small fortune to unlock all of the devices in their home.</span></p>
<h3><b>Data Collection</b></h3>
<p><span>Anyone who wants to unlock the filters on their devices would have to put their request in writing, show ID, and verify that they’ve been shown a “written warning regarding the potential dangers” of removing the obscenity filter. That means that companies would be maintaining records on everyone who wanted their “Human Trafficking” filters removed. As EFF Stanton Fellow Camille Fischer explains in our opposition letter: </span><span></span><span></span><span><br /></span></p>
<blockquote><p><span>To be clear, the HTPA’s deactivation process does not simply chill speech; it also requires consumers to sacrifice their privacy and anonymity, as the price of exercising their First Amendment rights. If enacted, consumers would be forced to identify themselves when making a written request for filter deactivation, creating a humiliating situation that suggests they want access to controversial sexual material. … In short, HTPA deactivation would be a frightening form of thought-based surveillance.</span></p>
</blockquote>
<p><span>Unlocking such filters would not just be about accessing pornography. A gamer could be seeking to improve the performance of their computer by deleting unnecessary software. A parent may want to install premium child safety software that is incompatible with a pre-installed filter. And, of course, many users will simply want to freely surf the Internet without repeatedly being denied access to legal content.</span></p>
<h3><b>Building A Censorship Machine</b></h3>
<p><span>The bill would force the companies we rely upon for open access to the Internet to create a massive, easily abused censorship apparatus. Tech companies would be required to operate call centers or online reporting centers to monitor complaints about which sites should or should not be filtered. <br /></span></p>
<p><span>The technical requirements for this kind of aggressive platform censorship at scale are simply unworkable. If the attempts of social media sites to censor pornographic images are </span><a href="http://kernelmag.dailydot.com/issue-sections/features-issue-sections/12796/facebook-nudity-breasts-advertising/"><span>any indication</span></a><span>, we cannot count on algorithms to distinguish, for example, nude art from medical information from pornography. Facing risk of legal liability, companies would likely over-censor and sweep up legal content in their censorship net.</span></p>
<h3><b>Do The Right Thing</b></h3>
<p><span>Already lawmakers are starting to see through this legislation. In 2018, the bill has died in committees in Mississippi and Virginia. Democratic senators in New Mexico who introduced the legislation pulled back the bill days after EFF raised the alarm. </span></p>
<p><span>Legislators should continue to do the right thing: uphold the Constitution, protect consumers, and not use the real problem of human trafficking as an excuse to deprive users of their privacy and free speech.</span></p>
</div></div></div>Wed, 28 Feb 2018 17:55:46 +000098205 at https://www.eff.orgContent BlockingFree SpeechGennie GebhartNinth Circuit Court of Appeals Has New Opportunity to Protect Device Privacy at the Borderhttps://www.eff.org/deeplinks/2018/02/ninth-circuit-court-appeals-has-new-opportunity-protect-device-privacy-border
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>The U.S. Court of Appeals for the Ninth Circuit has a new opportunity to strengthen personal privacy at the border. When courts recognize and strengthen our Fourth Amendment rights against warrantless, suspicionless border searches of our electronic devices, it’s an important check on the government’s power to search anyone, for any or no reason, at airports and border checkpoints.</p>
<p>EFF recently filed amicus briefs in two cases, <a href="https://www.eff.org/press/releases/eff-asks-ninth-circuit-appeals-court-strengthen-privacy-protections-smart-phones"><em>U.S. v. Cano</em></a> and <a href="https://www.eff.org/document/eff-amicus-brief-us-v-caballero-9th-cir"><em>U.S. v. Caballero</em></a>, before the Ninth Circuit arguing that the Constitution requires border agents to have a probable cause warrant to search travelers’ electronic devices.</p>
<p>Border agents, whether from U.S. Customs and Border Protection (CBP) or U.S. Immigration and Customs Enforcement (ICE), regularly search cell phones, laptops, and other electronic devices that travelers carry across the U.S. border. The number of device searches at the border has <a href="https://www.eff.org/deeplinks/2018/01/round-effs-advocacy-against-border-device-searches">increased six-fold</a> in the past five years, with the increase accelerating during the Trump administration. These searches are authorized by agency policies that generally permit <a href="https://www.eff.org/deeplinks/2018/01/new-cbp-border-device-search-policy-still-permits-unconstitutional-searches">suspicionless searches</a> without any court oversight.</p>
<p>The last significant ruling on device privacy at the border in the Ninth Circuit, whose rulings apply to <a href="https://www.ca9.uscourts.gov/content/view.php?pk_id=0000000135">nine western states</a>, was in <a href="http://caselaw.findlaw.com/us-9th-circuit/1624272.html"><em>U.S. v. Cotterman</em></a> (2013). In that case, the court of appeals held that the Fourth Amendment required border agents to have had reasonable suspicion—a standard between no suspicion and probable cause—before they conducted a “forensic” search, aided by sophisticated software, of the defendant’s laptop. Unfortunately, the Ninth Circuit also held that a manual search of an electronic device is “routine” and so the traditional border search exception to the warrant requirement applies—that is, no warrant or any suspicion of wrongdoing is needed.</p>
<p>However, the year after the Ninth Circuit decided <em>Cotterman</em>, the U.S. Supreme Court decided <a href="http://caselaw.findlaw.com/us-supreme-court/13-132-nr2.html"><em>Riley v. California</em></a> (2014). Although that case did not involve the border context, its analysis and ultimate holding are highly instructive. The Supreme Court held that, while police may search those they arrest without a warrant, when it comes to an arrestee’s cell phone they need a probable cause warrant. The court based its holding on the extraordinary privacy interests that individuals have in the massive amounts of sensitive digital data that their cell phones contain. The court emphasized that electronic devices are nothing like physical containers, such as wallets.</p>
<p>Similarly, in the border search context, electronic devices are nothing like luggage or other physical items that travelers carry across the border. With the vast amounts and kinds of personal data that electronic devices contain—data that can reveal our political affiliations, religious beliefs and practices, sexual and romantic lives, financial status, health conditions, and family and professional associations—EFF argues that the Constitution requires the government to meet a higher burden before accessing this information.</p>
<p>Additionally, we argue that the method of search is irrelevant to the legal analysis of what standards should apply to border searches of electronic devices. Border agents significantly invade travelers’ privacy when they search a cell phone or laptop—whether by hand or with forensic software. In fact, the cell phone searches in <em>Riley</em> were manual searches, yet the Supreme Court applied the maximum Fourth Amendment protection available.</p>
<p>The Ninth Circuit has not yet ruled on whether or how <em>Riley</em> applies to border searches of electronic devices. With <em>Cano </em>and <em>Caballero</em>, the court of appeals has a fresh opportunity to do so—and hopefully will strengthen privacy protections for travelers within its jurisdiction. Affirming the importance of digital privacy, the <em>Caballero</em> court stated, “If it could, this Court would apply <em>Riley</em>.” Yet both district courts felt constrained by <em>Cotterman</em> and so did not require a warrant.</p>
<p>With these Ninth Circuit briefs, EFF has now filed a total of <a href="https://www.eff.org/cases/united-states-v-saboonchi">five</a> <a href="https://www.eff.org/press/releases/border-agents-need-warrant-search-travelers-phones-eff-tells-court">amicus</a> <a href="https://www.eff.org/press/releases/eff-court-border-agents-need-warrants-search-contents-digital-devices">briefs</a> <a href="https://www.eff.org/document/eff-amicus-brief-us-v-cano">since</a> <a href="https://www.eff.org/document/eff-amicus-brief-us-v-caballero-9th-cir">2015</a> arguing that border agents need a probable cause warrant to search electronic devices at the border. All of these cases, like <em>Riley</em>, were criminal cases where the defendants moved to suppress the evidence obtained from their devices without a warrant. That these were criminal cases should not alter the constitutional analysis. Even though the defendants in <em>Riley</em> were arrestees reasonably suspected of having committed crimes, the Supreme Court still required a warrant under the Fourth Amendment.</p>
<p>Additionally, our <a href="https://www.eff.org/cases/alasaad-v-duke"><em>Alasaad v. Nielsen</em></a> case against CBP and ICE is the first <em>civil</em> case post-<em>Riley</em> challenging unconstitutional border searches of electronic devices. Our clients are 11 Americans—10 citizens and one lawful permanent resident—who have not been accused of any wrongdoing. Yet they were subjected to highly intrusive searches of their cell phones and other electronic devices when they tried to re-enter the country.</p>
<p>Thus, whether through our civil case or the criminal appeals where we serve as amicus, we’re hopeful that the courts will explicitly apply <em>Riley</em> to the border and protect the digital privacy of thousands of travelers from unjustified government intrusion.</p>
</div></div></div>Wed, 28 Feb 2018 02:04:01 +000098207 at https://www.eff.orgLegal AnalysisBorder SearchesSophia CopeSecond Circuit Gouges TVEyes With Terrible Fair Use Rulinghttps://www.eff.org/deeplinks/2018/02/second-circuit-gouges-tveyes-terrible-fair-use-ruling
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>In a decision that threatens legitimate fair uses, the Second Circuit ruled against part of the service offered by <a href="https://www.tveyes.com/">TVEyes</a>, which creates a text-searchable database of broadcast content from thousands of television and radio stations in the United States and worldwide. The service is invaluable to people looking to investigate and analyze the claims made on broadcast television and radio. Sadly, this ruling is likely to interfere with that valuable service.</p>
<p>TVEyes allows subscribers to search through transcripts of broadcast content and gives a time code for what the search returns. It also allows its subscribers to search for, view, download, and share ten-minute clips. It’s used by exactly who you’d think would need a service like this: journalists, scholars, politicians, and so on in order to monitor what’s being said in the media. If you’ve ever read a story where a public figure’s words now are contrasted with contradictory things they said in the past, then you’ve seen the effects of TVEyes.</p>
<p><a href="https://www.eff.org/deeplinks/2014/09/fair-use-ftw-fox-copyright-claim-fails-suppress-tveyes-media-monitoring-service">In 2014</a>, the district court hearing the case threw out a number of arguments made by Fox news and held that a lot of what TVEyes does is fair use, but asked to hear more about customers’ ability to archive video clips, share links to video clips via email, download clips, and search for clips by date and time (as opposed to keywords). <a href="https://www.eff.org/deeplinks/2015/08/dangerous-decision-fair-use-tveyes-case">In 2015</a>, the district court found the archiving feature to be a fair use, but found the other features to be “infringing.” </p>
<p>And now the 2<sup>nd</sup> Circuit has reversed [<a href="http://www.ca2.uscourts.gov/decisions/isysquery/b63f08b4-1b73-43b4-888c-0f7f6cf94f6b/1/doc/15-3885_complete_opn.pdf#xml=http://www.ca2.uscourts.gov/decisions/isysquery/b63f08b4-1b73-43b4-888c-0f7f6cf94f6b/1/hilite/">PDF</a>] the 2015 finding that the archiving was fair use <em>and </em>upholds the finding that the rest of the TVEye’s video features are not fair use. That’s a hugely disappointing result that could result in a decrease in news analysis and commentary.</p>
<p>Fair use is determined by a look at four factors: the purpose and character of the use (ie, how “transformative” it is), the nature of the copyrighted work, the amount and substantiality used, and the effect the use has on the market.</p>
<p>The Second Circuit decision does acknowledge that TVEyes’ functions are transformative “insofar as it enables users to isolate, from an ocean of programming, material that is responsive to their interests and needs, and to access that material with targeted precision.” Where the court gets this wrong is in saying that because that material is delivered in “unaltered from its original form with no new expression, meaning, or message,” this factor only weighs slightly in favor of TVEyes. A researcher or a journalist watching ten minutes relevant to a specific search is doing something very different from an average television viewer. The new and different purpose being served by TVEyes means this factor should have favored the service more than just slightly.</p>
<p>The court found that the second factor, not really a big player in this analysis, was neutral. TVEyes argued that it was providing access to facts, which are not copyrightable, so this factor weighed in their favor. The court replied that just because works are factual doesn’t mean they can be copied and shared wholesale.</p>
<p>The court found that the third factor favored Fox because the ten-minute clips are long relative to the “brevity of the average news segment on a particular topic.” The result, in the court’s eyes, being that users would see <em>all</em> of the segment on the topic they were searching for, destroying the need to go watch Fox News. The court envisions a future where media criticism is limited to organizations with the budget and stamina to assign someone to watch Fox News 24 hours a day.</p>
<p>The biggest failure is in the court’s analysis of the fourth factor. The court says that TVEyes successfully charging its subscribers $500 a month shows that it has created a profitable business that is somehow displacing a channel’s prospective revenue, especially since it allows people to watch content without the owner’s permission. That ignores a fundamental characteristic of fair use.</p>
<p>If use of someone’s words was contingent on the permission of the person who said them, you would never be able to critique what was being said. Fair use allows the use of copyrighted material <em>without permission</em> for this very reason. It’s not in the interest of anyone to license out clips of their material for the purpose of it being debunked, which is why the service provided by TVEyes is so valuable.</p>
<p>Moreover, the markets for a cable news subscription and the market for a service like TVEyes are not the same. And restricting that service to the hands of the copyright holder will keep important criticism and commentary from being done. Now more than ever we need rulings that reaffirm the importance of news analysis rather than ones that devalue it, as the Second Circuit did here.</p>
<p>We're disappointed the court took such a limited view of the importance of this kind of use and it's incorrect and dangerous to consider this a plausible market. That's circular reasoning that threatens many traditional fair uses where one <em>could</em> theoretically get a license but should not have to because stopping the use isn't a legitimate application of copyright law.</p>
</div></div></div>Wed, 28 Feb 2018 01:55:43 +000098206 at https://www.eff.orgCreativity & InnovationFair UseKatharine TrendacostaHouse Vote on FOSTA is a Win for Censorshiphttps://www.eff.org/deeplinks/2018/02/house-vote-fosta-win-censorship
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>The bill passed today 388-25 by the U.S. House of Representatives marks an unprecedented push towards Internet censorship, and does nothing to fight sex traffickers.</p>
<p>H.R. 1865, the Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA), allows for private lawsuits and criminal prosecutions against Internet platforms and websites, based on the actions of their users. Facing huge new liabilities, the law will undoubtedly lead to platforms <a href="https://www.eff.org/deeplinks/2017/09/stop-sesta-whose-voices-will-sesta-silence">policing more user speech</a>.</p>
<p>The Internet we know today is possible only because of <a href="https://www.eff.org/issues/cda230">Section 230 of the Communications Decency Act</a>, which prevents online platforms from being held liable for their users’ speech, except in certain circumstances. FOSTA would punch a major hole in Section 230, enabling lawsuits and prosecutions against online platforms—including ones that aren’t even aware that sex trafficking is taking place.</p>
<p>If websites can be sued or prosecuted because of user actions, it creates extreme incentives. Some online services might react by prescreening or filtering user posts. Others might get sued out of existence. New companies, fearing FOSTA liabilities, may not start up in the first place.</p>
<p>The tragedy is that FOSTA isn’t needed to prosecute or sue sex traffickers. As we’ve said before, Section 230 <a href="https://www.eff.org/deeplinks/2017/09/stop-sesta-section-230-not-broken">simply isn’t broken</a>. Right now, there is nothing preventing federal prosecution of an Internet company that knowingly aids in sex trafficking. That includes anyone hosting advertisements for sex trafficking, which is explicitly a federal crime under 18 U.S.C. § 1591, as amended by the 2015 SAVE Act. The website that produced the most discussion around this issue, Backpage.com, is <a href="https://www.azcentral.com/story/news/local/phoenix/2017/04/14/allegations-increase-against-backpage-founders-have-become-big-political-donors-arizona/100421528/">reportedly under federal investigation</a>.</p>
<p>The array of online services protected by Section 230, and thus hurt by FOSTA, is vast. It includes review sites, online marketplaces, discussion boards, ISPs, even news publications with comment sections. Even small websites host thousands or millions of users engaged in around-the-clock discussion and commerce. By attempting to add an additional tool to hold liable the tiny minority of those platforms whose users who do awful things, FOSTA does real harm to the overwhelming majority, who will inevitably be subject to censorship.</p>
<p>Websites run by nonprofits or community groups, which have limited resources to police user content, would face the most risk. Perversely, some of the discussions most likely to be censored could be those by and about victims of sex trafficking. Overzealous moderators, or automated filters, won’t distinguish nuanced conversations and are likely to pursue the safest, censorial route.</p>
<p>We hope the Senate will reject FOSTA and uphold Section 230, a law that has protected a free and open Internet for more than two decades. Call your senator now and let them know that online censorship isn’t the solution to fighting sex trafficking.</p>
<p class="take-action"><a href="https://stopsesta.org">Take action</a></p>
<p class="take-action take-explainer">Stop fosta</p>
</div></div></div>Tue, 27 Feb 2018 23:10:52 +000098202 at https://www.eff.orgSection 230 of the Communications Decency ActJoe MullinTell Congress to Protect the Open Internethttps://www.eff.org/deeplinks/2018/02/tell-congress-protect-open-internet
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Today, EFF is participating in a national Day of Action to push Congress to preserve the net neutrality rules the FCC repealed in December. With a simple majority, Congress can use the Congressional Review Act (CRA) to overturn the FCC’s new rule. We’re asking for members of the House and Senate to commit to doing so publicly.</p>
<p>On Thursday, February 22, the FCC’s so-called “Restoring Internet Freedom Order” was <a href="https://www.eff.org/deeplinks/2018/02/fccs-net-neutrality-order-was-just-published-so-now-fight-really-begins">published</a> in the Federal Register. Under the CRA, Congress has 60 working days to vote to overturn that Order. We’re asking representatives to publicly commit to doing just that. In the House of Representatives, that means supporting Representative Mike Doyle’s bill, <a href="https://democrats-energycommerce.house.gov/newsroom/press-releases/pallone-doyle-on-net-neutrality-repeal-in-federal-register">which has 150 co-sponsors</a>. In the Senate, Senator Ed Markey’s bill is <a href="https://www.markey.senate.gov/news/press-releases/senate-democrats-announce-major-milestone-in-fight-to-protect-net-neutrality-entire-senate-democratic-caucus-now-cosponsoring-legisaltion-to-reverse-fccs-recent-vote-and-fully-restore-the-2015-open">just <strong>one </strong>vote away</a> from passing.</p>
<p>Net neutrality means that Internet service providers (ISPs) should treat all data that travels over their networks fairly, without improperly discriminating in favor of particular apps, sites or services. For many years, net neutrality principles in various forms, have forbidden unfair practices like blocking or throttling particular services and sites, as well as paid prioritization, where an ISP charges content providers to get better or faster or more consistent access to the ISP's customer or prioritizes its own content over a competitor’s. Thanks to the hard work of millions of Internet users, these protections were enshrined in the FCC’s 2015 Open Internet Order. The new Order eviscerated those protections; Congress can use the CRA to bring them back.</p>
<p>Because net neutrality is so popular, politicians often say they support it – but lip service is not enough. A vote to restore the net neutrality protections in the 2015 Open Internet Order is a clear, concrete thing that you can ask your representatives to do to support real net neutrality.</p>
<p>For that reason, we’re launching <a href="https://checkyourreps.org/">Check Your Reps</a>, a website that allows you to see whether or not your representatives are voting yes on bringing back the 2015 Open Internet Order, email them voicing your support for net neutrality, and share what you’ve learned.</p>
<p>The clock is ticking: make sure you tell your representatives to act.</p>
<p class="take-action"><a href="https://checkyourreps.org/">Take Action</a></p>
<p class="take-explainer"><a href="https://checkyourreps.org/">Tell Your Representatives to Bring Back Net Neutrality Protections</a></p>
</div></div></div>Tue, 27 Feb 2018 19:26:02 +000098199 at https://www.eff.orgCall To ActionCreativity & InnovationNet NeutralityKatharine TrendacostaCan India's Biometric Identity Program Aadhaar Be Fixed?https://www.eff.org/deeplinks/2018/02/can-indias-aadhaar-biometric-identity-program-be-fixed
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>The Supreme Court of India has <a href="http://www.livelaw.in/sc-constitution-bench-begin-final-hearing-validity-aadhaar-cards-tomorrow/">commenced</a> final hearings in the long-standing challenge to India's massive biometric identity apparatus, Aadhaar. Following last August’s <a href="https://www.eff.org/deeplinks/2017/08/indias-supreme-court-upholds-right-privacy-fundamental-right-and-its-about-time">ruling</a> in the Puttaswamy case rejecting the Attorney General's contention that privacy was not a fundamental right, a five-judge bench is now weighing in on the privacy concerns raised by the unsanctioned use of Aadhaar.</p>
<p>The stakes in the Aadhaar case are huge, given the central government’s <a href="http://www.thehindu.com/todays-paper/tp-opinion/towards-a-unique-digital-south-asian-identity/article18411700.ece">ambitions</a> to export the underlying technology to other countries. Russia, Morocco, Algeria, Tunisia, Malaysia, Philippines, and Thailand have expressed interest in implementing biometric identification system inspired by Aadhaar. The Sri Lankan government has <a href="http://www.thehindu.com/news/international/sri-lanka-is-keen-to-introduce-an-aadhaar-like-initiative/article22099494.ece">already made plans</a> to introduce a biometric digital identity for citizens to access services, despite stiff <a href="http://www.newsbharati.com/Encyc/2018/1/16/India-Sri-Lanka-MoU.html">opposition</a> to the proposal, and similar plans are under consideration in <a href="https://www.bloomberg.com/news/articles/2018-02-06/pakistan-to-profile-citizens-to-combat-rampant-tax-avoidance">Pakistan</a>, <a href="https://thehimalayantimes.com/nepal/national-id-card-distribution-begin-panchthar/">Nepal</a> and <a href="http://www.biometricupdate.com/201703/singapores-new-digital-identity-system-to-include-biometrics">Singapore</a>. The outcome of this hearing will impact the acceptance and adoption of biometric identity across the world.</p>
<p>At home in India, the need for biometric identity is staked on claims that it will improve government savings through efficient, targeted delivery of welfare. But in the years since its implementation, there is little evidence to back the government's savings claims. A widely-quoted World Bank's estimate of $11 billion annual savings (or potential savings) due to Aadhaar has been <a href="https://economictimes.indiatimes.com/news/economy/policy/aadhaars-11-bn-question-the-numbers-being-touted-by-govt-have-no-solid-basis/articleshow/62830705.cms">challenged</a> by economists.</p>
<p>The architects of Aadhaar also <a href="https://blogs.timesofindia.indiatimes.com/toi-edit-page/were-all-in-this-together-aadhaar-isnt-building-a-surveillance-dystopia-it-asserts-your-individual-identity-vis-a-vis-the-state/">invoke</a> inclusion to justify the need for creating a centralized identity scheme. Yet, contrary to government claims, there is growing evidence of denial of services for lack of Aadhaar card, authentication failures that have led to <a href="https://scroll.in/article/867352/yet-another-aadhaar-linked-death-jharkhand-woman-dies-of-hunger-after-denial-of-rations">death</a>, <a href="https://thewire.in/214979/aadhaar-enabled-starvation-narendra-modis-new-india/">starvation</a>, denial of <a href="https://www.afternoonvoice.com/availing-opd-services-delhi-aadhaar-card-must-compulsory.html">medical services</a> and <a href="https://timesofindia.indiatimes.com/city/gurgaon/no-aadhaar-woman-delivers-at-gurugram-hospital-gate/articleshow/62857340.cms">hospitalization</a>, and denial of public utilities such as <a href="https://aadhaar.fail/aadhaar-exclusions/10767-lose-pension-faridabad-aadhaarfail/">pensions</a>, <a href="https://aadhaar.fail/aadhaar-exclusions/26000-people-fail-get-rations-delhi-aadhaarfail/">rations</a>, and <a href="https://aadhaar.fail/aadhaar-exclusions/indane-gas-freezes-connections-hp-denies-subsidies-customers-lack-aadhaar-linking/">cooking gas</a>. During last week's <a href="http://www.thehindu.com/news/national/sc-flags-exclusions-under-aadhaar/article22694784.ece">hearings</a> , Aadhaar's governing institution, the Unique Identity Authority of India (UIDAI), was <a href="https://www.indiatimes.com/news/after-several-deaths-uidai-wakes-up-says-no-service-can-be-denied-in-absence-of-aadhaar-card-339431.html">forced</a> to clarify that access to entitlements would be maintained until an adequate mechanism for authentication of identity was in place, issuing a <a href="https://www.indiatimes.com/news/after-several-deaths-uidai-wakes-up-says-no-service-can-be-denied-in-absence-of-aadhaar-card-339431.html">statement</a> that "no essential service or benefit should be denied to a genuine beneficiary for the want of Aadhaar."</p>
<h2 id="centralized-decision-making-compromises-aadhaars-security">Centralized Decision-Making Compromises Aadhaar's Security</h2>
<p>The UIDAI was <a href="https://swarajyamag.com/politics/there-is-a-privacy-issue-with-the-aadhar-card">established</a> in 2009 by executive action as the sole decision-making authority for the allocation of resources, and contracting institutional arrangements for Aadhaar numbers. With no external or parliamentary oversight over its decision-making, UIDAI <a href="http://www.timesnownews.com/india/article/foreign-firms-had-access-to-unencrypted-aadhaar-data-reveals-rti/82046">engaged</a> in an opaque process of private contracting with foreign biometric service providers to provide technical support for the scheme. The government later <a href="http://www.prsindia.org/billtrack/the-aadhaar-targeted-delivery-of-financial-and-other-subsidies-benefits-and-services-bill-2016-4202/">passed</a> the <a href="https://uidai.gov.in/images/the_aadhaar_act_2016.pdf">Aadhaar Act in 2016</a> to legitimize UIDAI's powers, but used a special maneuver that enabled it to <a href="http://indianexpress.com/article/opinion/columns/privacy-after-aadhaar-money-bill-rajya-sabha-upa/">bypass</a> the House of Parliament, where the government lacked a majority, and prevented its examination by the Parliamentary Standing Committee. The <a href="https://thewire.in/34721/identity-of-the-aadhaar-act-supreme-court-and-the-money-bill-question/">manner</a> in which Aadhaar Act was passed further weakens the democratic legitimacy of the Aadhaar scheme as a whole.</p>
<p>The lack of accountability emanating from UIDAI's centralized decision-making is evident in the rushed proof of the concept trial of the project. Security researchers have <a href="https://www.moneylife.in/article/how-uidai-goofed-up-pilot-test-results-to-press-forward-with-uid-scheme/14863.html">noted</a> that the trial sampled data from just 20,000 people and nothing in the UIDAI's report confirms that each electronic identity on the Central ID Repository (CIDR) is unique or that de-duplication could ever be achieved. As mounting evidence confirms, the decision to create the CIDR was based on an <a href="https://www.medianama.com/2017/09/223-how-safe-is-the-aadhaar-database/">assumption</a> that biometrics cannot be faked, and that even if they were, it would be caught during deduplication.</p>
<p>It emerged during the Aadhaar hearings that UIDAI has neither access to, nor control of the source code of the software used for Aadhaar CIDR. This means that to date there has been no independent audit of the software that could identify data-mining backdoors or security flaws. The Indian public has also become concerned about the practices of the foreign companies embedded in the Aadhaar system. One of three contractors to UIDAI who were provided full access to classified biometric data stored in the Aadhaar database and permitted to “collect, use, transfer, store and process the data" was US-based L-1 Identity Solutions. The company has since been acquired by a French company, Safran Technologies, which has been <a href="https://www.outlookindia.com/website/story/foreign-firm-contracted-for-aadhaar-under-fbi-radar-for-installing-secret-code-i/306064">accused</a> of hiding the provenance of code bought from a Russian firm to boost software performance of US law enforcement computers. The company is also facing a whistleblower lawsuit alleging it fraudulently took more than $1 billion from US law enforcement agencies.</p>
<h2 id="compromised-enrollment-scheme" class="p2">Compromised Enrollment Scheme</h2>
<p>The UIDAI also outsourced the responsibility for enrolling Indians in the Aadhaar system. State government bodies and large private organizations were selected to act as registrars, who, in turn, appointed enrollment agencies, including private contractors, to set up and operate mobile, temporary or permanent enrollment centers. UIDAI created an incentive based model for successful enrollment, whereby registrars would <a href="https://uidai.gov.in/images/sanctionorders/sanction_order_may_08072017.pdf">earn</a> Rs 40-50 (about 75c) for every successful enrollment. Since compensation was tied to successful enrollment, the scheme created the incentive for operators to maximize their earning potential.</p>
<p>By delegating the collection of citizens' biometrics to private contractors, UIDAI created the scope for the enrollment procedure to be compromised. Hacks to work around the software and hardware soon emerged, and have been <a href="http://www.thehindu.com/news/national/uttar-pradesh-police-busts-fake-aadhaar-card-network/article19660140.ece">employed in scams</a> using cloned fingerprints to create fake enrollments. Corruption, bribery, and the creation of Aadhaar numbers with unverified, absent or false documents have also marred the rollout of the scheme. In 2016, on being detained and questioned, a Pakistani spy <a href="https://thewire.in/213761/uidai-aadhaar-lord-hanuman-pakistani-spy/">produced</a> an Aadhaar card bearing his alias and fake address as proof of identity. The Aadhaar card had been obtained through the enrollment procedure by providing fake identification information.</p>
<p>An India Today <a href="https://www.indiatoday.in/india/story/aadhaar-details-on-sale-for-rs-2-5-uidai-securing-data-1123441-2018-01-05">investigation</a> has revealed that the misuse of Aadhaar data is widespread, with agents willing to part with demographic records collected from Aadhaar applicants for Rs 2-5 (less than a cent). Another <a href="https://timesofindia.indiatimes.com/city/bengaluru/Agency-issues-smart-cards-without-check/articleshow/48737871.cms">report</a> from 2015 <a href="https://medium.com/karana/the-relative-print-feature-in-the-aadhaar-enrolment-client-7c916954eb54">suggests</a> that the enrollment client allows operators to use their fingerprints and Aadhaar number to access, update and print demographic details of people without their consent or biometric authentication.</p>
<p>More recently, an <a href="http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html">investigation</a> by The Tribune exposed that complete access to the UIDAI database was available for Rs 500 (about $8). The reporter paid to gain access to the data including name, address, postal code, photo, phone number and email collected by UIDAI. For an additional Rs 300, the service provided access to software which allowed the printing of the Aadhaar card after entering the Aadhaar number of any individual. A young Bangalore-based engineer has been accused of <a href="http://www.thehindu.com/news/national/karnataka/techie-held-for-accessing-sensitive-aadhaar-data/article19421763.ece">developing</a> an Android app "Aadhaar e-KYC", downloaded over 50,000 times since its launch in January 2017. The software claimed to be able to access Aadhaar information without authorization.</p>
<p>In light of the unreliability of information in the Aadhaar database and systemic failure of the enrollment process, the biometric data collected before the enactment of the Aadhaar Act is an important issue before the Supreme Court. The petitioners have sought the destruction of all biometrics and personal information captured between 2009-2016 on the grounds that it was collected without informed consent and may have been compromised.</p>
<h2 id="authentication-failures" class="p2">Authentication Failures</h2>
<p>The <a href="https://thewire.in/151337/aadhaar-proof-possession-identity/">original plans</a> for authentication of a person holding an Aadhaar number under <a href="https://uidai.gov.in/images/the_aadhaar_act_2016.pdf">Section 2(c)</a> of the Aadhaar Act, 2016 were <a href="https://thewire.in/151337/aadhaar-proof-possession-identity/">meant to involve</a> returning a "Yes" if the person's biometric and demographic data matched those captured during the enrollment process, and "No" if it did not. But somewhere along the way, <a href="https://scroll.in/article/806297/no-longer-a-black-box-why-does-the-revised-aadhar-bill-allow-sharing-of-identity-information">this policy changed</a>, and in 2016, the UIDAI introduced a new mode of authentication, whereby on submitting biometric information against the Aadhaar number would result in their demographic information being returned.</p>
<p>This has created a range of public and <a href="http://indianexpress.com/article/india/aadhaar-officials-part-of-private-firms-that-use-aadhaar-services-for-profit-4874824/">private</a> institutions using Aadhaar-based authentication for the provision of services. However <a href="https://scroll.in/topic/38792/identity-project">authentication failures</a> due to incorrect captured fingerprints, or a change in biometric details because of old age or wear and tear are increasingly common. The ability to do electronic authentication is also limited in India and therefore, printed copies of Aadhaar number and demographic details are considered as identification.</p>
<p>There are two main issues with this. First, as Aadhaar copies are just pieces of paper that can be easily faked, the use and acceptance of physical copies creates avenue for fraud. UIDAI could limit the use of physical copies: however doing so would deprive beneficiaries if authentication fails. Second, Aadhaar numbers are supposed to be secret: using physical copies encourage that number to be revealed and used publicly. For the UIDAI whose aim is speedy enrollment and provision of services despite authentication failure, there is <a href="https://medium.com/@St_Hill/i-wrote-a-few-words-about-aadhaar-34e141afb725">no incentive</a> to stop the use of printed Aadhaar numbers.</p>
<p>Data security has also been weakened because institutions using Aadhaar for authentication have not met the standards for processing and storing data. Last year, UIDAI had to get more than 200 Central and State government departments, including educational institutes, to remove lists of Aadhaar beneficiaries, along with their name, address, and Aadhaar numbers <a href="https://timesofindia.indiatimes.com/india/210-govt-websites-made-public-aadhaar-details-uidai/articleshow/61711303.cms">had been uploaded and available</a> on their public websites.</p>
<h2 id="securing-aadhaar" class="p2">Securing Aadhaar</h2>
<p>Can Aadhaar be secured? Not without significant institutional reforms, no. Aadhaar does not have an independent threat-analyzing agency: securing biometric data that has been collected falls under the purview of UIDAI. The agency does not have a Chief Information Officer (CIO) and has no defined standard operating procedures for data leakages and security breaches. Demographic information linked to an Aadhaar number, made available to private parties during authentication, <a href="https://scroll.in/article/823274/how-private-companies-are-using-aadhaar-to-deliver-better-services-but-theres-a-catch">are already being</a> collected and stored externally by those parties; the UIDAI has no legal power or regulatory mechanism to prevent this. The existence of parallel databases means that biometric and demographic information is increasingly scattered among government departments and private companies, many of whom have little conception of, or incentive to ensure data security.</p>
<p>Second order tasks of oversight and regulatory enforcement serve a critical function in creating accountability. Although UIDAI has issued legally-enforceable rules, there is no monitoring or enforcement agency, either within UIDAI or without, to see if these rules are being followed. For example, an audit of enrollment centers <a href="https://www.medianama.com/2018/01/223-constitutional-validity-of-aadhaar-day-2/">revealed</a> that UIDAI had no way of knowing if operators were retaining biometrics nor for how long.</p>
<p>UIDAI has also neither adopted, nor encouraged reporting of software vulnerabilities or testing enrollment hardware. Reporting of security vulnerabilities provides <a href="https://www.troyhunt.com/is-indias-aadhaar-system-really-hack-proof-assessing-a-publicly-observable-security-posture/">learning opportunities</a> and <a href="https://factordaily.com/fsociety-interview-app-security-privacy/">improves coordination;</a> security researchers can fulfill the critical task of enabling institutions to identify failures, allowing incremental improvements to the system. But far from encouraging such security research, UIDAI has filed FIRs against <a href="https://thewire.in/223965/critics-aadhaar-say-surveillance-allege-government-harassment/">researchers and reporters</a> that uncovered flaws in the Aadhaar ecosystem.</p>
<p>As controversies over its ability to keep its data secure has grown, the agency has stuck to its aggressive stance, vehemently refuting any suggestion of the vulnerabilities in the Aadhaar apparatus. This attitude is perplexing given the number of data breaches and procedural gaps that are being uncovered every day. UIDAI is so confident of its security that it filed an <a href="http://www.firstpost.com/india/government-files-affidavit-in-aadhaar-case-claims-it-cannot-be-hacked-or-breached-supreme-court-to-hear-case-today-4190835.html">affidavit</a> before the Supreme Court in the Aadhaar case which claims that the data cannot be hacked or breached. UIDAI's defiance of their own patchy record hardly provides much cause for confidence.</p>
<h2>The Way Forward </h2>
<p>The current Aadhaar regime is structured to radically centralize the implementation of Indian government and private digital authentication systems. But a credible national identity system cannot be created by an opaque, unaccountable centralized agency that chooses not to follow democratic procedures when creating its rules. It would have made more sense to confine UIDAI's role to maintaining the legal structure that secures the individual right over their data, enforces contracts, ensures liability for data breaches, and performs dispute resolution. In that way, the jurisdictional authority of UIDAI would be limited to tasks where competition cannot be an organizing principle.</p>
<p>The present scheme has created a market of institutions that use Aadhaar for authentication of identity in the provision of services with varying degree of transparency and privacy. The central control of the scheme is too rigid in some ways, as the bureaucratic structure of Aadhaar does not facilitate adaptation to security threats, or allow vendors or private companies to improve data protection practices. Yet in other ways, it is not strong enough, given the security lapses that it has enabled by giving multiple parties free access to the Aadhaar database.</p>
<p>By making Aadhaar mandatory, UIDAI has taken away the right of individuals to exit these unsatisfactory arrangements. The coercive measures taken by the State to encourage the adoption of Aadhaar have introduced new risks to individuals' data and national security. Even the efficiency argument has fallen flat, as it is negated by the unreliability of Aadhaar authentication. The tragedy of Aadhaar is that not only does it fail to generate efficiency and justice, but also introduces significant economic and social costs.</p>
<p>All in all, it's hard to see how this mess can be fixed without scrapping the system and—perhaps—starting again from scratch. As drastic as that sounds, the current Supreme Court challenge may, ironically, provide a golden opportunity to revamp the fatally flawed existing institutional arrangements behind Aadhaar, and provide the Indian government with a fresh opportunity to learn from the mistakes that brought it to this point.</p>
</div></div></div>Tue, 27 Feb 2018 14:55:17 +000098139 at https://www.eff.orgCommentaryInternationalPrivacyBiometricsJyoti PandayA Technical Deep Dive: Securing the Automation of ACME DNS Challenge Validationhttps://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Earlier this month, <a href="https://www.letsencrypt.org">Let's Encrypt</a> (the free, automated, open Certificate Authority EFF helped launch two years ago) passed a huge milestone: <a href="https://www.eff.org/deeplinks/2018/02/lets-encrypt-hits-50-million-active-certificates-and-counting">issuing over 50 million active certificates</a>. And that number is just going to keep growing, because in a few weeks Let's Encrypt will also start issuing “wildcard” certificates—a feature many system administrators have been asking for.</p>
<h3>What's A Wildcard Certificate?</h3>
<p>In order to validate an HTTPS certificate, a user’s browser checks to make sure that the domain name of the website is actually listed in the certificate. For example, a certificate from www.eff.org has to actually list www.eff.org as a valid domain for that certificate. Certificates can also list multiple domains (e.g., www.eff.org, ssd.eff.org, sec.eff.org, etc.) if the owner just wants to use one certificate for all of her domains. A wildcard certificate is just a certificate that says “I'm valid for all of the subdomains in this domain” instead of explicitly listing them all off. (In the certificate, this is indicated by using a wildcard character, indicated by an asterisk. So if you examine the certificate for eff.org today, it will say it's valid for *.eff.org.) That way, a system administrator can get a certificate for their entire domain, and use it on new subdomains they hadn't even thought of when they got the certificate.</p>
<p>In order to issue wildcard certificates, Let's Encrypt is going to require users to prove their control over a domain by using a challenge based on <a href="https://en.wikipedia.org/wiki/Domain_Name_System">DNS</a>, the domain name system that translates domain names like www.eff.org into IP addresses like 69.50.232.54. From the perspective of a Certificate Authority (CA) like Let's Encrypt, there's no better way to prove that you control a domain than by modifying its DNS records, as controlling the domain is the very essence of DNS.</p>
<p>But one of the key ideas behind Let's Encrypt is that getting a certificate should be an automatic process. In order to be automatic, though, the software that requests the certificate will also need to be able to modify the DNS records for that domain. In order to modify the DNS records, that software will also need to have access to the credentials for the DNS service (e.g. the login and password, or a cryptographic token), and those credentials will have to be stored wherever the automation takes place. In many cases, this means that if the machine handling the process gets compromised, so will the DNS credentials, and this is where the real danger lies. In the rest of this post, we'll take a deep dive into the components involved in that process, and what the options are for making it more secure.</p>
<h3>How Does the DNS Challenge Work?</h3>
<p>At a high level, the DNS challenge works like all the other automatic challenges that are part of the ACME protocol—the protocol that a Certificate Authority (CA) like Let's Encrypt and client software like Certbot use to communicate about what certificate a server is requesting, and how the server should prove ownership of the corresponding domain name. In the DNS challenge, the user requests a certificate from a CA by using ACME client software like Certbot that supports the DNS challenge type. When the client requests a certificate, the CA asks the client to prove ownership over the domain by adding a specific TXT record to its DNS zone. More specifically, the CA sends a unique random token to the ACME client, and whoever has control over the domain is expected to put this TXT record into its DNS zone, in the predefined record named "_acme-challenge" under the actual domain the user is trying to prove ownership of. As an example, if you were trying to validate the domain for *.eff.org, the validation subdomain would be "_acme-challenge.eff.org." When the token value is added to the DNS zone, the client tells the CA to proceed with validating the challenge, after which the CA will do a DNS query towards the authoritative servers for the domain. If the authoritative DNS servers reply with a DNS record that contains the correct challenge token, ownership over the domain is proven and the certificate issuance process can continue.</p>
<h3>DNS Controls Digital Identity</h3>
<p>What makes a DNS zone compromise so dangerous is that DNS is what users’ browsers rely on to know what IP address they should contact when trying to reach your domain. This applies to every service that uses a resolvable name under your domain, from email to web services. When DNS is compromised, a malicious attacker can easily intercept all the connections directed toward your email or other protected service, terminate the TLS encryption (since they can now prove ownership over the domain and get their own valid certificates for it), read the plaintext data, and then re-encrypt the data and pass the connection along to your server. For most people, this would be very hard to detect.</p>
<h3>Separate and Limited Privileges</h3>
<p>Strictly speaking, in order for the ACME client to handle updates in an automated fashion, the client only needs to have access to credentials that can update the TXT records for "_acme-challenge" subdomains. Unfortunately, most DNS software and DNS service providers do not offer granular access controls that allow for limiting these privileges, or simply do not provide an API to handle automating this outside of the basic DNS zone updates or transfers. This leaves the possible automation methods either unusable or insecure.</p>
<p>A simple trick can help maneuver past these kinds of limitations: using the <a href="https://en.wikipedia.org/wiki/CNAME_record">CNAME record</a>. CNAME records essentially act as links to another DNS record. Let's Encrypt follows the chain of CNAME records and will resolve the challenge validation token from the last record in the chain.</p>
<h3>Ways to Mitigate the Issue</h3>
<p>Even using CNAME records, the underlying issue exists that the ACME client will still need access to credentials that allow it to modify some DNS record. There are different ways to mitigate this underlying issue, with varying levels of complexity and security implications in case of a compromise. In the following sections, this post will introduce some of these methods while trying to explain the possible impact if the credentials get compromised. With one exception, all of them make use of CNAME records.</p>
<h4>Only Allow Updates to TXT Records</h4>
<p>The first method is to create a set of credentials with privileges that only allow updating of TXT records. In the case of a compromise, this method limits the fallout to the attacker being able to issue certificates for all domains within the DNS zone (since they could use the DNS credentials to get their own certificates), as well as interrupting mail delivery. The impact to mail delivery stems from mail-specific TXT records, namely <a href="https://en.wikipedia.org/wiki/Sender_Policy_Framework">SPF</a>, <a href="https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail">DKIM</a>, its extension <a href="https://en.wikipedia.org/wiki/Author_Domain_Signing_Practices">ADSP</a> and <a href="https://en.wikipedia.org/wiki/DMARC">DMARC</a>. A compromise of these would also make it easy to deliver phishing emails impersonating a sender from the compromised domain in question.</p>
<h4>Use a "Throwaway" Validation Domain</h4>
<p>The second method is to manually create CNAME records for the "_acme-challenge" subdomain and point them towards a validation domain that would reside in a zone controlled by a different set of credentials. For example, if you want to get a certificate to cover yourdomain.tld and www.yourdomain.tld, you'd have to create two CNAME records—"_acme-challenge.yourdomain.tld" and "_acme-challenge.www.yourdomain.tld"—and point both of them to an external domain for the validation.</p>
<p>The domain used for the challenge validation should be in an external DNS zone or in a subdelegate DNS zone that has its own set of management credentials. (A subdelegate DNS zone is defined using NS records and it effectively delegates the complete control over a part of the zone to an external authority.)</p>
<p>The impact of compromise for this method is rather limited. Since the actual stored credentials are for an external DNS zone, an attacker who gets the credentials would only gain the ability to issue certificates for all the domains pointing to records in that zone.</p>
<p>However, figuring out which domains actually do point there is trivial: the attacker would just have to read <a href="https://www.certificate-transparency.org/">Certificate Transparency</a> logs and check if domains in those certificates have a magic subdomain pointing to the compromised DNS zone.</p>
<h4>Limited DNS Zone Access</h4>
<p>If your DNS software or provider allows for creating permissions tied to a subdomain, this could help you to mitigate the whole issue. Unfortunately, at the time of publication the only provider we have found that allows this is <a href="https://docs.microsoft.com/en-us/azure/dns/dns-protect-zones-recordsets">Microsoft Azure DNS</a>. Dyn supposedly also has granular privileges, but we were not able to find a lower level of privileges in their service besides “Update records,” which still leaves the zone completely vulnerable.</p>
<p>Route53 and possibly others allow their users to create a subdelegate zone, new user credentials, point NS records towards the new zone, and point the "_acme-challenge" validation subdomains to them using the CNAME records. It’s a lot of work to do the privilege separation correctly using this method, as one would need to go through all of these steps for each domain they would like to use DNS challenges for.</p>
<h4>Use ACME-DNS</h4>
<p><em>As a disclaimer, the software discussed below is written by the author, and it’s used as an example of the functionality required to handle credentials required for DNS challenge automation in a secure fashion.</em> The final method is a piece of software called ACME-DNS, written to combat this exact issue, and it's able to mitigate the issue completely. One downside is that it adds one more thing to your infrastructure to maintain as well as the requirement to have DNS port (53) open to the public internet. ACME-DNS acts as a simple DNS server with a limited HTTP API. The API itself only allows updating of TXT records of automatically generated random subdomains. There are no methods to request lost credentials, update or add other records. It provides two endpoints:</p>
<ul><li>/register – This endpoint generates a new subdomain for you to use, accompanied by a username and password. As an optional parameter, the register endpoint takes a list of CIDR ranges to whitelist updates from.</li>
<li>/update – This endpoint is used to update the actual challenge token to the server.</li>
</ul><p>In order to use ACME-DNS, you first have to create A/AAAA records for it, and then point NS records towards it to create a delegation node. After that, you simply create a new set of credentials via the /register endpoint, and point the CNAME record from the "_acme-challenge" validation subdomain of the originating zone towards the newly generated subdomain.</p>
<p>The only credentials saved locally would be the ones for ACME-DNS, and they are only good for updating the exact TXT records for the validation subdomains for the domains on the box. This effectively limits the impact of a possible compromise to the attacker being able to issue certificates for these domains. For more information about ACME-DNS, visit <a href="https://github.com/joohoi/acme-dns/">https://github.com/joohoi/acme-dns/</a>.</p>
<h3>Conclusion</h3>
<p>To alleviate the issues with ACME DNS challenge validation, proposals like <a href="https://mailarchive.ietf.org/arch/msg/acme/6_j3fecaxIgwNTpJ3693U_n0Kec">assisted-DNS</a> to IETF’s ACME working group have been discussed, but are currently still left without a resolution. Since the only way to limit exposure from a compromise is to limit the DNS zone credential privileges to only changing specific TXT records, the current possibilities for securely implementing automation for DNS validation are slim. The only sustainable option would be to get DNS software and service providers to either implement methods to create more fine-grained zone credentials or provide a completely new type of credentials for this exact use case.</p>
</div></div></div>Tue, 27 Feb 2018 01:03:23 +000098183 at https://www.eff.orgEncrypting the WebSecurity EducationJoona HoikkalaHow Grassroots Activists in Georgia Are Leading the Opposition Against a Dangerous “Computer Crime” Billhttps://www.eff.org/deeplinks/2018/02/how-grassroots-activists-georgia-are-leading-opposition-against-dangerous-computer
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>A misguided bill in Georgia (<a href="http://www.legis.ga.gov/legislation/en-US/Display/20172018/SB/315">S.B. 315</a>) threatens to criminalize independent computer security research and punish ordinary technology users who violate fine-print terms of service clauses. S.B. 315 is currently making its way through the state’s legislature amid uproar and resistance that its sponsors might not have fully anticipated. At the center of this opposition is a group of concerned citizen-advocates who, through their volunteer advocacy, have drawn national attention to the industry-wide implications of this bill.</p><p>Scott M. Jones and David Merrill from <a href="http://www.ef-georgia.org">Electronic Frontiers Georgia</a>—a group that participates in the <a href="https://www.eff.org/fight">Electronic Frontier Alliance</a> network —spoke to us about their efforts to inform legislators and the public of the harms this bill would cause.</p><hr /><p><strong>You have most recently been organizing around Georgia Senate Bill 315. What is the bill about, and what are your concerns with it?</strong></p><p><em>Scott:</em> Senate Bill 315 is a computer intrusion bill. Georgia already has on the books some very strong laws against computer intrusion, computer fraud, and the malicious side of hacking. I think this is pretty well covered in state law as it is.</p><p>There was an incident last year at Kennesaw State University. Some of the functions for conducting elections in the state of Georgia were farmed out to KSU and their Election Center, and there was a data breach there. That was very big in the news. What they didn’t say in the news at the time was that [it was] a security researcher who found a vulnerability and reported it ethically. As it turns out, the researcher in question was not even targeting KSU election systems, but merely found inappropriate personal information via a Google search, and then tried to get authorities to act quickly to remove it. This person, as we found out later, was investigated by the FBI and they came up clean. [The FBI] didn’t have anything to charge them with, so they left.</p><p>The state feels very embarrassed by this, and the attorney general’s office has asked for a bill that goes above and beyond the existing statutes that we have against computer crime. That’s where Senate Bill 315 came from. To use the language that the attorney general’s office used, they want to build it to criminalize so-called “poking around.” Basically, if you’re looking for vulnerabilities in a non-destructive way, even if you’re ethically reporting them—especially if you’re ethically reporting them—suddenly you’re a criminal if this bill passes into law.</p><p><em>David:</em> I’ve worked in Atlanta cyber security for about 13 years and it’s a very tight-knit community. People from one company will go to another company, or a lot of the founders from one company will end up founding another company. A lot of them started from incubators and think tanks at our university system here—a lot of them at Georgia Institute of Technology. So if you have a chilling effect on one founder or one person who is interested in this kind of topic it can really stifle an entire industry and the whole chain of people creating all these other organizations.</p><p><strong>Other than security researchers, who else needs to be concerned about this bill?</strong></p><p><em>Scott:</em> The other issue with Senate Bill 315 is it’s so broadly written that it could bring in terms of service [enforcement]. Terms of service come from a private company—for instance, your cable and Internet provider have terms of service. The bill is so broadly written that a violation of terms of service could possibly be construed as a criminal violation, and that would be improper delegation of powers.</p><p><em>David:</em> S.B. 315 uses the term, “unauthorized access,” which is a very murky term. If you’re trying to go through all the proper channels in advance and get authorization for something, it’s not always clear who the person who has the authority to give that authorization is. If it’s a website and you’re testing some part of a website’s security you might think it’s the website administrator, but often it’s not. Often it’s their IT dev ops team or the tech ops team or something else. You may even get permission from one person and think you’re in the clear, and the next thing you know they say that’s not the correct authorization. With the broadness of the way this bill is written, there are way too many circumstances where somebody could be in violation of the law just performing their daily duties.</p><p><strong>What is your game plan right now for fighting this bill?</strong></p><p><em>Scott:</em> It was voted on by the Senate, so now it goes on to the House and it will be heard in committee. The game plan right now would be to line up support to have a good showing at the House committee meeting. What we need in addition to ordinary people who do technology every day is some C-level people—CEOs, CIOs, CFOs, CTOs, CISOs, etc.</p><p><strong>Electronic Frontiers Georgia participates in the Electronic Frontier Alliance. From that perspective, are there any notable differences between legislative-based organizing and, say, generally raising awareness of digital rights locally?</strong></p><p><em>Scott:</em> As far as legislative versus non-legislative organizing: Electronic Frontiers Georgia is also very interested in raising general awareness and teaching basic concepts, but I’m finding that it’s really hard to do both. We’re in legislative mode while the legislature is in session, which is roughly January 1st through about April 1st. After the legislative season is over we pivot back to educational and social mode. It’s good to do both, but it can be very difficult to do both at the same time. Groups that are actively doing activism at the state level shouldn’t beat themselves up if they’re not able to keep the same educational schedule up during the busy legislative season.</p><p><strong>Electronic Frontiers Georgia has started working with other community groups in the area on the S.B. 315 fight. What advice would you give to grassroots groups who want to work more collaboratively with each other but have never done so before?</strong></p><p><em>Scott:</em> What I’m finding is that there are a lot of groups in the area but a lot of them are siloed, which is to say that they essentially keep to themselves and don’t mix with the other groups very frequently. They’re focused on their main core interest, and they just probably haven’t considered some of the issues like S.B. 315. It’s a challenge to bring disparate groups together, but I’m trying to talk to them. For example, I’m giving a talk on S.B. 315 to DC404, which is the local DEFCON group—an information security group.</p><p>We’re also trying to invite in other groups that are not necessarily technology-focused that I think would be interested in this particular fight if they just understood it better. One of the real struggles with S.B. 315 is trying to convince people who don’t work in technology that this is something they should care about. With news of data breaches every day, how do you explain to somebody that this is actually going to make security worse rather than make it better? That requires a lot of explaining. Some of these groups are looking for speakers and content, and that’s an opportunity for us to step in and fill that, and maybe explain our position to a better degree.</p><hr /><p>For more on Georgia S.B. 315, <a href="https://www.eff.org/deeplinks/2018/02/georgia-must-block-flawed-computer-crime-bill">read here</a>. If you’re advocating for digital rights within your community, please <a href="https://www.eff.org/EFA-FAQ">explore</a> the <a href="https://www.eff.org/electronic-frontier-alliance">Electronic Frontier Alliance</a> and consider <a href="https://supporters.eff.org/join-efa">joining</a>.</p><p><em>This interview has been lightly edited for length and readability. Additional information about the KSU breach was added after the original interview.</em></p>
</div></div></div>Mon, 26 Feb 2018 18:40:21 +000098177 at https://www.eff.orgElectronic Frontier AllianceComputer Fraud And Abuse Act ReformCamille OchoaThe Problems With FISA, Secrecy, and Automatically Classified Informationhttps://www.eff.org/deeplinks/2018/02/problems-fisa-secrecy-and-automatically-classified-information
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>We need to talk about national security secrecy. Right now, there are two memos on everyone’s mind, each with its own version of reality. But the memos are just one piece. How the memos came to be—and why they continue to roil the waters in Congress—is more important. </p>
<p>On January 19, staff for Representative Devin Nunes (R-CA) wrote a <a href="https://upload.wikimedia.org/wikipedia/commons/2/25/Nunes_Memo.pdf">classified memo</a> alleging that the FBI and DOJ committed surveillance abuses in its <a href="https://www.nytimes.com/2018/01/28/us/politics/rod-rosenstein-carter-page-secret-memo.html">applications for and renewal of a surveillance order against former Trump administration advisor Carter Page.</a> Allegedly, the FBI and DOJ’s surveillance application included biased, politically-funded information.</p>
<p>The House Permanent Select Committee on Intelligence, on which Rep. Nunes serves as chairman, later voted to release the memo. What the memo meant, however, depended on who was talking. Some Republican House members took the memo as fact, claiming it showed “<a href="https://twitter.com/RepLeeZeldin/statuses/957670316989407232">abuse</a>” and efforts to “<a href="http://www.washingtonexaminer.com/republicans-rally-for-public-release-of-memo-on-fisa-abuses/article/2646412">undermine our country</a>.” But Rep. Adam Schiff (D-CA)—who serves as Ranking Member on the House Permanent Select Committee on Intelligence, across from Nunes—<a href="https://www.washingtonpost.com/powerpost/gop-memo-on-surveillance-abuse-seeks-to-discredit-the-trump-russia-dossier/2018/01/19/7b4babbc-fd3f-11e7-a46b-a3614530bd87_story.html?utm_term=.46c0eabadfa5">called the memo</a> “profoundly misleading” and, in an opinion for <a href="https://www.washingtonpost.com/opinions/rep-nuness-memo-crosses-a-dangerous-line/2018/01/31/cbdabedc-0696-11e8-b48c-b07fea957bd5_story.html?utm_term=.3d4353f8df23">The Washington Post</a>, said it “cherry-picks facts.”</p>
<p>Even the FBI entered the debate, <a href="http://thehill.com/policy/national-security/371636-fbi-warns-it-has-grave-concerns-about-material-omissions-of-fact-in">slamming the memo</a> and saying the agency had “grave concerns about material omissions of fact that fundamentally impact the memo's accuracy." And Assistant Attorney General Stephen Boyd of the DOJ said releasing the memo without review would be “<a href="https://www.cnn.com/2018/01/24/politics/nunes-memo-fbi/index.html">extraordinarily reckless</a>.” Finally, the president said the memo “<a href="https://twitter.com/realdonaldtrump/status/959798743842349056?lang=en">totally vindicates</a>” him from special counsel Robert Mueller’s investigation into his administration.</p>
<p>So a lawmaker made serious charges about surveillance abuses and corruption at the highest levels, and the rest of Congress and the public were ensnared in a guessing game: Could they trust Devin Nunes and what he says? Is the memo he wrote, and the allegations in it, just smoke or is there fire? Unfortunately, the information needed to evaluate his claims is hidden within multiple, nested layers of secrecy.</p>
<p>The secrecy starts with surveillance applications and secret court opinions, which are protected by classification that requires proper security clearance. Only a handful of lawmakers can read the materials, but even they can’t openly discuss them in public. They could write a report, but the FBI and Justice Department would ask to redact the report. After redactions, the report would be subject to a committee vote for release. If the report is cleared by committee, it ordinarily requires the president’s approval.</p>
<p>At any point in the process, this information could have been mislabeled, misidentified, embellished, or obscured, and we’d have almost no way of knowing.</p>
<p>It’s time to talk about FISA again, and the problems with its multi-layered secrecy regime.</p>
<p>We’re going to talk about a surveillance law that, when passed, installed secrecy both in a court system and in Congress, barring the public and their representatives from accessing important information. When that information is partially revealed, it’s near impossible for the public to trust it. </p>
<h2><strong>The Foreign Intelligence Surveillance Act and Its Regime of Secrecy</strong></h2>
<p>Passed in 1978, the Foreign Intelligence Surveillance Act (FISA) dictates how the government conducts physical and electronic surveillance for national security purposes against “foreign powers” and “agents of foreign powers.” FISA allows surveillance against “U.S. persons,” Americans and others in the U.S., so long as the agency doing the surveillance demonstrates and provides probable cause that the U.S. person is engaged in terrorism, espionage, or other activities on behalf of a foreign power.</p>
<p>Typically when law enforcement conducts a search, the Fourth Amendment requires that they get a search warrant approved by a neutral magistrate, a judge assigned to hear warrant applications. Under FISA, surveillance orders go through a slightly different review. The statute created an entirely separate court venue filled with 11 judges designated to review FISA surveillance orders. These judges make up the Foreign Intelligence Surveillance Court (FISC). </p>
<p>Similar to how courts review standard search warrants, FISC judges review FISA surveillance applications out of public view. Judges typically hear arguments from the government and no one else, court hearings are not public, and the FISA orders themselves are kept secret.</p>
<p>(Notably, this warrant-like review does not happen under Section 702 of FISA, which the NSA uses to collect billions of communications without a warrant, including Americans’ communications. Under Section 702, which you can read about <a href="https://www.eff.org/702-spying">here</a>, FISC judges do not review individual targets of surveillance and instead sign off on programmatic surveillance policies.)</p>
<p>In the FISC, secrecy in each step is heightened. The court’s opinions and any transcript or record of the proceedings are automatically classified. Even the court’s physical location is constructed to be “the nation’s most secure courtroom,” <a href="http://www.washingtonpost.com/wp-dyn/content/article/2009/03/01/AR2009030101730.html">with reinforced concrete and hand scanners</a> to keep unauthorized people out.</p>
<p>This secrecy is hard to unravel after the fact. When recently asked by Rep. Nunes for more information about the renewed FISA surveillance warrant on Carter Page, Rosemary Collyer, the presiding judge of the FISC wrote:</p>
<p>“As you know, any such transcripts would be classified. It may also be helpful for me to observe that, in a typical process of considering an application, we make no systematic record of questions we ask or responses the government gives.”</p>
<p>Although surveillance conducted for run-of-the-mill law enforcement is often shadowy, the FISA process is far more shielded from public view. For example, standard search warrants are used to gather evidence for later prosecutions that are by default public. That means at some point the government has to face—and knows it has to face—a defense attorney’s efforts to question the evidence gathered from the search warrant. This is known as a “motion to suppress,” and with typical search warrants, these motions are filed in a public court. When that court hears a motion to suppress, it usually issues an order discussing why the surveillance violated—or didn’t violate—the law. This is how our legal system is intended to function. Lawyers and the public actually learn what the law is through this process, because in our system it is the duty of courts to “<a href="https://en.wikipedia.org/wiki/Marbury_v._Madison">say what the law is</a>.” For that reason, <a href="https://www.eff.org/deeplinks/2014/09/secret-law-not-law">secret law is a perversion of our system</a>.</p>
<p>Moreover, the public disclosure of law enforcement search warrants serves important ends outside of any particular legal challenge. For one, they let the public know what police are doing, both in their name and with their tax dollars. Second, they allow for greater accountability when police overstep their authority or otherwise misbehave.</p>
<p>FISC proceedings routinely fail this test.</p>
<p>FISA orders are for foreign intelligence purposes, so the surveillance is rarely used in a prosecution and rarely challenged in a motion to suppress. Moreover, even if the fruits of FISA surveillance are used in court, criminal defendants and other litigants are deprived of access to this information, so they have little way of knowing if evidence brought against them may have come from an improper FISA order. (FISA provides a mechanism for defendants to request this information, but no defendant has succeeded in doing so in FISA’s 40-year history.) This impedes a defendant’s ability to challenge their prosecution, and it prevents related, public knowledge of these challenges.</p>
<p>But the secrecy in FISA extends much further than FISC, adding further opaque layers between what intelligence agencies and the court do and what the public sees.</p>
<h2><strong>Lacking Congressional Oversight</strong></h2>
<p>In practice, congressional oversight of the FISA process and the underlying materials is severely constrained. Although they have security clearances by virtue of their office, many lawmakers are kept far away from classified documents because they do not have cleared staff to assist in processing the information, and their requests are <a href="https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/sharing-secrets-with-lawmakers-congress-as-a-user-of-intelligence/3.htm">given lower priority than members of the intelligence oversight committees</a>.</p>
<p>Even members of those House and Senate intelligence committees do not always have access to everything. In the case of the Nunes memo, only the “Gang of Eight” congressional leaders and a handful of others out of the 435 members of the House of Representatives and the 100 members of the Senate reportedly had access to the underlying FISA surveillance applications and unredacted FISC opinions.</p>
<p>This problem has restricted Congress members before. In 2003, when then-House intelligence committee chairman Jay Rockefeller learned of the NSA’s unconstitutional spying programs under President George W. Bush, he had little capability to fight back. He <a href="https://www.newyorker.com/magazine/2013/12/16/state-of-deception">wrote to then-Vice President Dick Cheney</a>:</p>
<p>“As you know, I am neither a technician nor an attorney. Given the security restrictions associated with this information, and my inability to consult staff or counsel on my own, I feel unable to fully evaluate, much less endorse these activities."</p>
<p>Rockefeller—who knew of the programs—could not speak of them. For everyone else, reading FISA and FISC materials is close to impossible. Even after Congress passed the USA FREEDOM Act in 2015 requiring that significant FISC Opinions be released to the public, these opinions are still highly redacted and tightly guarded, and no FISA application material has never been revealed to the public.</p>
<p>It’s for these reasons that EFF has long called for Congress <a href="https://www.eff.org/document/strengthening-congressional-oversight-intelligence-community">to reform</a> how it oversees surveillance activities conducted by the Executive Branch, including by providing all members of Congress with the tools they need to meaningfully understand and challenge activities that are so often veiled in extreme secrecy.</p>
<h2><strong>Why This Matters</strong></h2>
<p>FISA’s inherent secrecy causes a chain reaction. Because the FISC’s surveillance orders are kept secret, it is hard to know if they are ever improper. Because criminal defendants are kept in the dark about what evidence was used to obtain a FISA order, they cannot meaningfully challenge if the order was wrongly issued.</p>
<p>In Congress, because lawmakers are widely excluded from knowing the FISC’s procedures, efforts to fix the process are scarce. And, as we’ve seen with the Nunes memo, because so few lawmakers can access FISA materials, if one lawmaker uses that access to make extraordinary claims, trying to prove or refute those claims is mostly futile.</p>
<p>Plainly, outsiders do not know who is telling the truth. Because the public cannot read the underlying FISA materials that the memo is based on, they can’t accurately separate fact from fiction. They cannot see the FISC’s written approval for the order. They cannot see the order itself. And they cannot see the materials that went into the surveillance application.</p>
<p>According to reports, the majority of Congress is in the exact same position. They have not been able to see the FISC’s written approval for the order; they cannot see the order itself. And they cannot see the materials that went into the surveillance application.</p>
<p>Rep. Adam Schiff, a member of the Gang of Eight, has tried to refute the Nunes memo, relying on the classified FISA order and surveillance application to write a sort of counter-memo. But Schiff’s counter-memo was originally blocked by the Trump administration, with a lawyer for the president <a href="https://www.politico.eu/article/trump-russia-probe-blocks-release-of-democratic-memo/">explaining</a> that it “contains numerous properly classified and especially sensitive passages.”</p>
<p>What is sensitive about those passages, we don’t know. Why they are classified, we don’t know. What they could clear up, we don’t know. And we can’t assess the White House’s claim that this counter-memo is too sensitive to be released, even though it approved release of the Nunes memo.</p>
<p>On February 24, the House Intelligence Committee ignored the White House’s wishes and released Rep. Schiff’s counter memo. The memo offered several claimed rebuttals to many of the allegations in the original Nunes memo, but it included far more redactions, leaving the public to, yet again, guess at the full truth. </p>
<p>And that’s the problem with FISA. Because of near airtight classification for everything that occurs in the FISC—and a corresponding congressional inaccessibility to that classified information—it is exceedingly difficult to know when we are being told the truth. A single member of the Gang of Eight could, at any time, present information to the public as truth, with few opportunities for others to rebut or verify those claims.</p>
<p>These truths should not be held at the mercy of classification, and they should not be a matter of security clearances, committee votes, and personal accusations. These problems are exacerbated by Congress’ systemic failures to assert its constitutional oversight role. FISA prevents the public from knowing much of what its own government does in national security investigations, and it prevents much of Congress from being able to stop single bad actors from misrepresenting classified material.</p>
<p>EFF will continue to fight for governmental transparency. It is one of the strongest vehicles we have to ensure that our government is protecting our rights, and that our government’s members are telling the truth.</p>
</div></div></div>Mon, 26 Feb 2018 18:32:05 +000098186 at https://www.eff.orgCommentaryPrivacyTransparencyDecoding 702: What is Section 702?David RuizSan Francisco: Building Community Broadband to Protect Net Neutrality and Online Privacyhttps://www.eff.org/deeplinks/2018/02/san-francisco-building-community-broadband-protect-net-neutrality-and-online
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><strong></strong>Like many cities around the country, San Francisco is considering an investment in community broadband infrastructure: high-speed fiber that would make Internet access cheaper and better for city residents. Community broadband <a href="https://www.eff.org/deeplinks/2018/01/community-broadband-privacy-access-and-local-control">can help alleviate a number of issues</a> with Internet access that we see all over America today. Many Americans have no choice of provider for <a href="https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-6A1.pdf">high-speed Internet</a>, <a href="https://www.washingtonpost.com/politics/how-congress-dismantled-federal-internet-privacy-rules/2017/05/29/7ad06e14-2f5b-11e7-8674-437ddb6e813e_story.html?utm_term=.8fa7429c64fa">Congress eliminated user privacy protections</a> in 2017, and the <a href="https://www.eff.org/deeplinks/2017/12/team-internet-far-done-whats-next-net-neutrality-and-how-you-can-help">FCC decided to roll back net neutrality protections in December</a>.&#13;</p>
<p>This week, San Francisco published the recommendations of a group of experts, including EFF’s Kit Walsh, regarding how to protect the privacy and speech of those using community broadband.&#13;</p>
<p>This week, <a href="https://sfmunifiber.org/">the Blue Ribbon Panel on Municipal Fiber</a> released its <a href="https://sfmunifiber.files.wordpress.com/2018/02/privacy-governance-report.pdf">third report</a>, which tackles competition, security, privacy, net neutrality, and more. It recommends San Francisco’s community broadband require net neutrality and privacy protections. Any ISP looking to use the city’s infrastructure would have to adhere to certain standards. The model of community broadband that EFF favors is sometimes called “dark fiber” or “open access.” In this model, the government invests in fiber infrastructure, then opens it up for private companies to compete as your ISP. This means the big incumbent ISPs can no longer block new competitors from offering you Internet service. San Francisco is pursuing the “open access” option, and is quite far along in its process.&#13;</p>
<p>The “open access” model is preferable to one in which the government <em>itself</em> acts as the ISP, because of the civil liberties risks posed by a government acting as your conduit to information.&#13;</p>
<p>Of course, private ISPs can also abuse your privacy and restrict your opportunities to speak and learn online.&#13;</p>
<p>To prevent such harms, the expert panel explained how the city could best operate its network so that competition, as well as legal requirements, would prevent ISPs from violating net neutrality or the privacy of residents.&#13;</p>
<p>That would include, as was found in the 2015 Open Internet Order recently repealed by the FCC, a ban on blocking of sites, content, or applications; a ban on throttling sites, content, or applications; and a ban on paid prioritization, where ISPs favor themselves or companies who have paid them by giving their content better treatment.&#13;</p>
<p>The report also recommends requiring a number of consumer protections that Congress prevented from ever being enacted. If an ISP wants to sell or show a customer’s personal information to anyone, they’d have to give permission first. Even the use of data that doesn’t identify someone would require permission. Both of these would have to be “opt-in,” so it would be assumed that there was no consent to use the data. (“Opt-out” would mean that using customer data is assumed to be fine unless that customer figured out how to tell them no.)&#13;</p>
<p>Furthermore, the goal is to build infrastructure that connects every home and business to a fiber optic network, guaranteeing everyone in the city access to fast, reliable Internet. And while the actual lines will be owned by the city, it will be an “open-access” model—that is, space on the city-owned lines will be leased to private companies, creating competition and choice.&#13;</p>
<p>The report also recommends that San Francisco require ISPs to protect privacy when faced with legal challenges or demands from government agencies. It recommends San Francisco require ISPs using its network do a number of things (e.g., give up the right to look at customer communications, give up the right to consent to searches of communications, and swear to—if not prohibited by law—tell customers when they’re being asked to hand over information) to help protect the civil liberties and privacy of users.&#13;</p>
<p>With all of these things combined, San Francisco’s community broadband looks to be doing as much as possible to provide choices while also ensuring that all their options lead to safe and secure connection to a free and open Internet. That’s something we can all work towards in our communities.</p>
</div></div></div>Fri, 23 Feb 2018 23:36:32 +000098184 at https://www.eff.orgNet NeutralityKatharine TrendacostaThe Federal Circuit Should Not Allow Patents on Inventions that Should Belong to the Publichttps://www.eff.org/deeplinks/2018/02/federal-circuit-should-not-allow-patents-inventions-should-belong-public
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>One of the most fundamental aspects of patent law is that patents should only be awarded for new inventions. That is, not only does someone have to invent something new to them in order to receive a patent, is must also be a new to the world. If someone independently comes up with an idea, it doesn’t mean that person should get a patent if someone else already came up with the same idea and told the public.</p>
<p>There’s good reason for this: patents are an artificial restraint on trade. They work to increase costs (the patent owner is rewarded with higher prices) and can impede <a href="https://www.nytimes.com/2014/04/19/opinion/nocera-greed-and-the-wright-brothers.html">follow-on innovation</a>. Policy makers generally try to justify what would otherwise be considered a monopoly through the argument that without patents, inventors may never have invested in research or might not want to make their inventions public. Thus, the story goes, we should give people limited monopolies in the hopes that overall, we end up with more innovation (whether this is actually true, particularly for <a href="https://www.eff.org/deeplinks/2013/05/whats-stake-cls-bank-software-patents">software</a>, is <a href="https://www.eff.org/deeplinks/2017/05/no-evidence-stronger-patents-will-mean-more-innovation">debatable</a>).</p>
<p>A U.S. Court of Appeals for the Federal Circuit rule, however, upends the patent bargain and allows a second-comer—someone who wasn’t the first inventor—to get a patent under a particular, <a href="https://patentlyo.com/patent/2017/12/federal-circuit-analysis.html">albeit fairly limited</a>, circumstance. A new petition challenges this rule, and EFF has filed an <a href="https://www.eff.org/files/2018/02/23/16-2388_eff_ariosa_amicus.pdf">amicus brief </a> in support of undoing the Federal Circuit’s misguided rule.</p>
<p>The rule is based on highly technical details of the Patent Act, which you can read about in our brief along with those of <a href="https://www.eff.org/files/2018/02/23/16-2388_-_appellant_ariosa_diagnostics_inc.s_petition_for_rehearing_en_banc.pdf">Ariosa</a> (the patent challenger) and a <a href="https://www.eff.org/document/law-professors-amicus-brief-ariosa-v-illumina">group of law professors</a>. Our brief argues that the Federal Circuit rule is an incorrect understanding of the law. We ask the Federal Circuit to rehear the issue with the full court, and reverse its current rule.</p>
<p>While the Federal Circuit rule is fairly limited and doesn’t arise in many situations, we have significant concerns about the policy it seems to espouse. Contrary to decades of Supreme Court precedent, the rule allows, under certain circumstances, someone to get a patent on something had already been disclosed to the public. We believe that is always bad policy.</p>
</div></div></div>Fri, 23 Feb 2018 21:19:35 +000098181 at https://www.eff.orgPatentsCreativity & InnovationVera RanieriFOSTA Would Be a Disaster for Online Communitieshttps://www.eff.org/deeplinks/2018/02/fosta-would-be-disaster-online-communities
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><h3>Frankenstein Bill Combines the Worst of SESTA and FOSTA. Tell Your Representative to Reject New Version of H.R. 1865.</h3>
<p>The House of Representatives is about to vote on a bill that would force online platforms to censor their users. The Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA, <a href="https://www.congress.gov/bill/115th-congress/house-bill/1865">H.R. 1865</a>) might sound noble, but it would do nothing to stop sex traffickers. What it <em>would</em> do is force online platforms to police their users’ speech more forcefully than ever before, silencing legitimate voices in the process.&#13;</p>
<p>Back in December, we said that while FOSTA was a very dangerous bill, <a href="https://www.eff.org/deeplinks/2017/12/amended-version-fosta-would-still-silence-legitimate-speech-online">its impact on online spaces would not be as broad as</a><span> the Senate</span> bill, the <a href="https://stopsesta.org/">Stop Enabling Sex Traffickers Act</a> (SESTA, <a href="https://www.congress.gov/bill/115th-congress/senate-bill/1693">S. 1693</a>). That’s about to change.&#13;</p>
<p>The House Rules Committee is about to approve a <a href="/files/2018/02/22/fosta-amendment.pdf">new version of FOSTA </a>[.pdf] that incorporates most of the dangerous components of SESTA. This new Frankenstein’s Monster of a bill would be a disaster for Internet intermediaries, marginalized communities, and even trafficking victims themselves.&#13;</p>
<p>If you don’t want Congress to undermine the online communities we all rely on, please take a moment to <a href="https://act.eff.org/action/stop-fosta">call your representative and urge them to oppose FOSTA</a>.&#13;</p>
<p class="take-action"><a href="https://act.eff.org/action/stop-fosta">Take Action</a></p>
<p class="take-explainer"><a href="https://act.eff.org/action/stop-fosta">Stop FOSTA</a></p>
<h3></h3>
<h3>Gutting Section 230 Is Not a Solution</h3>
<p class="pull-quote">The problem with FOSTA and SESTA isn’t a single provision or two; it’s the whole approach.</p>
<p>FOSTA would undermine <a href="https://www.eff.org/issues/cda230">Section 230</a>, the law protecting online platforms from some types of liability for their users’ speech. As we’ve explained before, <a href="https://www.eff.org/deeplinks/2017/08/internet-censorship-bill-would-spell-disaster-speech-and-innovation">the modern Internet is only possible thanks to a strong Section 230</a>. Without Section 230, most of the online platforms we use would never have been formed—the risk of liability for their users’ actions would have simply been too high.&#13;</p>
<p>Section 230 strikes an important balance for when online platforms can be held liable for their users’ speech. Contrary to FOSTA supporters’ claims, Section 230 does nothing to protect platforms that break federal criminal law. In particular, if an Internet company knowingly engages in the advertising of sex trafficking, <a href="https://www.eff.org/deeplinks/2017/09/stop-sesta-amendments-federal-criminal-sex-trafficking-law-sweep-too-broadly">the U.S. Department of Justice can and should prosecute it</a>. Additionally, Internet companies are not immune from civil liability for user-generated content if plaintiffs can show that a company had a <a href="https://www.eff.org/deeplinks/2017/09/stop-sesta-section-230-not-broken">direct hand in creating the illegal content</a>.&#13;</p>
<p>The new version of FOSTA would destroy that careful balance, opening platforms to increased criminal and civil liability at both the federal and state levels. This includes a new federal sex trafficking crime targeted at web platforms (in addition to <a href="https://www.law.cornell.edu/uscode/text/18/1591">18 U.S.C. § 1591</a>)—but which would not require a platform to have <em>knowledge</em> that people are using it for sex trafficking purposes. This also includes exceptions to Section 230 for state law criminal prosecutions against online platforms, as well as civil claims under federal law and civil enforcement of federal law by state attorneys general.&#13;</p>
<p>Perhaps most disturbingly, the new version of FOSTA would make the changes to Section 230 apply retroactively: a platform could be prosecuted for failing to comply with the law before it was even passed.&#13;</p>
<h3>FOSTA Would Chill Innovation</h3>
<p>Together, these measures would <a href="https://www.eff.org/deeplinks/2017/09/google-will-survive-sesta-your-startup-might-not">chill innovation and competition among Internet companies</a>. Large companies like Google and Facebook may have the budgets to survive the massive increase in litigation and liability that FOSTA would bring. They may also have the budgets to implement a mix of automated filters and human censors to comply with the law. Small startups don’t. And with the increased risk of litigation, it would be difficult for new startups ever to find the funding they need to compete with Google.&#13;</p>
<p>Today’s large Internet companies would not have grown to prominence without the protections of Section 230. FOSTA would raise the ladder that has allowed those companies to grow, <a href="https://www.eff.org/deeplinks/2017/11/internet-association-endorses-internet-censorship-bill">making it very difficult for newcomers ever to compete with them</a>.&#13;</p>
<h3>FOSTA Would Censor Victims</h3>
<p class="pull-quote">Congress should think long and hard before dismantling the very tools that have proven most effective in fighting trafficking.</p>
<p>More dangerous still is the impact that FOSTA would have on online speech. Facing the threat of extreme criminal and civil penalties, web platforms large and small would have little choice but to silence legitimate voices. Supporters of SESTA and FOSTA pretend that it’s easy to distinguish online postings related to sex trafficking from ones that aren’t. It’s not—and it’s impossible at the scale needed to police a site as large as Facebook or Reddit. The problem is compounded by FOSTA’s expansion of federal prostitution law. Platforms would have to take extreme measures to remove a wide range of postings, especially those related to sex.&#13;</p>
<p>Some supporters of these bills have argued that platforms can rely on automated filters in order to distinguish sex trafficking ads from legitimate content. That argument is laughable. It’s difficult for a human to distinguish between a legitimate post and one that supports sex trafficking; <a href="https://www.eff.org/deeplinks/2017/09/stop-sesta-whose-voices-will-sesta-silence">a computer certainly could not do it with anything approaching 100% accuracy</a>. Instead, platforms would have to calibrate their filters to over-censor. When web platforms rely too heavily on automated filters, it often puts marginalized voices at a disadvantage.&#13;</p>
<p>Most tragically of all, the first people censored would likely be sex trafficking victims themselves. The very same words and phrases that a filter would use to attempt to delete sex trafficking content would also be used by victims of trafficking trying to get help or share their experiences.&#13;</p>
<p>There are <a href="https://www.eff.org/deeplinks/2017/10/sex-trafficking-experts-say-sesta-wrong-solution">many, many stories of traffickers being caught by law enforcement</a> thanks to clues that police officers and others found on online platforms. Congress should think long and hard before <a href="https://www.eff.org/deeplinks/2017/12/internet-censorship-bills-wouldnt-help-catch-sex-traffickers">dismantling the very tools that have proven most effective in fighting trafficking</a>.&#13;</p>
<h3>FOSTA Is the Wrong Approach</h3>
<p>There is no amendment to FOSTA that would make it effective at fighting online trafficking while respecting the civil liberties of everyone online. That’s because the problem with FOSTA and SESTA isn’t a single provision or two; it’s the whole approach.&#13;</p>
<p>Creating more legal tools to go after online platforms would not punish sex traffickers. It <em>would</em> punish all of us, <a href="https://www.mercurynews.com/2017/12/11/commentary-bill-aimed-at-sex-trafficking-actually-puts-women-in-more-danger/">wrecking the safe online communities that we use every day</a>. And in the process, it would also undermine the tools that have <a href="https://www.hstoday.us/subject-matter-areas/law-enforcement-and-public-safety/legislation-stop-sex-trafficking-would-hurt-investigations/">proven most effective at putting traffickers in prison</a>. FOSTA is not the right solution, and no trimming around the edges will make it the right solution.&#13;</p>
<p>If you care about protecting the safety of our online communities—if you care about protecting everyone’s right to speak online, even about sensitive topics—we urge you to <a href="https://act.eff.org/action/stop-fosta">call your representative today and tell them to reject FOSTA</a>.&#13;</p>
<p class="take-action"><a href="https://act.eff.org/action/stop-fosta">Take Action</a></p>
<p class="take-explainer"><a href="https://act.eff.org/action/stop-fosta">Stop FOSTA</a></p>
</div></div></div>Fri, 23 Feb 2018 00:41:27 +000098172 at https://www.eff.orgCall To ActionCreativity & InnovationFree SpeechSection 230 of the Communications Decency ActElliot HarmonThe FCC’s Net Neutrality Order Was Just Published, Now the Fight Really Beginshttps://www.eff.org/deeplinks/2018/02/fccs-net-neutrality-order-was-just-published-so-now-fight-really-begins
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Today, the FCC’s so-called “Restoring Internet Freedom Order,” which repealed the net neutrality protections the FCC had previously created with the 2015 Open Internet Order, <a href="https://www.federalregister.gov/documents/2018/02/22/2018-03464/restoring-internet-freedom">has been officially published</a>. That means the clock has started ticking on all the ways we can fight back.&#13;</p>
<p>While the rule is published today, it doesn’t take effect quite yet. ISPs can’t start blocking, throttling, or paid prioritization for a little while. So while we still have the protections of the 2015 Open Internet Order and we finally have a published version of the “Restoring Internet Freedom Order,” it’s time to act.&#13;</p>
<p>First, under the Congressional Review Act (CRA), Congress can reverse a change in regulation with a simple majority vote. That would bring the 2015 Open Internet Order back into effect. Congress has 60 working days—starting from when the rule is published in the official record—to do this. So those 60 days start now.&#13;</p>
<p>The Senate bill has <a href="https://www.markey.senate.gov/news/press-releases/senate-democrats-announce-major-milestone-in-fight-to-protect-net-neutrality-entire-senate-democratic-caucus-now-cosponsoring-legisaltion-to-reverse-fccs-recent-vote-and-fully-restore-the-2015-open">50</a> <a href="http://thehill.com/policy/technology/368164-senate-bill-that-would-preserve-net-neutrality-rules-wins-first-gop">supporters</a>, only one away from the majority it needs to pass. The House of Representatives is a bit further away. By our count, 114 representatives have made public commitments in support of voting for a CRA action. Now that time is ticking down for the vote, <a href="https://act.eff.org/action/save-the-open-internet-order">tell Congress to save the existing net neutrality rules</a>.&#13;</p>
<p>Second, it is now unambiguous that the <a href="https://ag.ny.gov/sites/default/files/petition_-_filed.pdf">lawsuits of 22 states</a>, <a href="https://www.freepress.net/blog/2017/12/22/were-suing-fcc-heres-how-it-works">public interest</a> <a href="https://www.publicknowledge.org/press-release/public-knowledge-files-protective-petition-in-dc-circuit-regarding-net-ne">groups</a>, <a href="https://blog.mozilla.org/blog/2018/01/16/mozilla-files-suit-fcc-protect-net-neutrality/">Mozilla</a>, and the <a href="https://internetassociation.org/statement-restoring-internet-freedom-order/?utm_source=Beltway+%28DC+Tech+%26+Congressional%29&amp;utm_campaign=c6f8120662-EMAIL_CAMPAIGN_2018_01_05&amp;utm_medium=email&amp;utm_term=0_9f8d7f4f65-c6f8120662-114617569">Internet Association</a> can begin. While the FCC decision said lawsuits had to wait ten days until after the official publication, there was some question about whether federal law said something else. So while some suits have already been filed, with the 10-day counter from the FCC starting, it’s clear that lawsuits can begin.&#13;</p>
<p>And, of course, states and other local governments continue to move forward on their own measures to protect net neutrality. <a href="https://www.freepress.net/blog/2018/02/14/net-neutrality-politics-local">26 state legislatures are considering net neutrality</a> legislation and five governors have issued executive orders on net neutrality. <a href="https://www.eff.org/deeplinks/2018/01/californias-senate-misfires-network-neutrality-ignores-viable-options">EFF has some ideas</a> on how state law can stand up to the FCC order. <a href="https://www.eff.org/deeplinks/2018/01/community-broadband-privacy-access-and-local-control">Community broadband</a> can also ensure that net neutrality principles are enacted on a local level. For example, <a href="https://arstechnica.com/information-technology/2018/02/san-fran-seeks-universal-fiber-broadband-with-net-neutrality-and-privacy/">San Francisco is currently looking for proposals</a> to build an open-access network that would require net neutrality guarantees from any ISP looking to offer services over the city-owned infrastructure.&#13;</p>
<p>So while the FCC’s vote in December was in direct contradiction to the wishes of <a href="http://thehill.com/policy/technology/364528-poll-83-percent-of-voters-support-keeping-fccs-net-neutrality-rules">the majority of Americans</a>, the publishing of that order means that action can really start to be taken.</p>
</div></div></div>Thu, 22 Feb 2018 21:26:31 +000098170 at https://www.eff.orgNet NeutralityKatharine TrendacostaWhen the Copyright Office Meets, the Future Needs a Seat at the Tablehttps://www.eff.org/deeplinks/2018/02/when-copyright-office-meets-future-doesnt-get-seat-table
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Every three years, EFF's lawyers spend weeks huddling in their offices, composing carefully worded pleas we hope will persuade the Copyright Office and the Librarian of Congress to grant Americans a modest, temporary permission to use our own property in ways that are already legal.&#13;</p>
<p>Yeah, we think that's weird, too. But it's been than way ever since 1998, when Congress passed the Digital Millennium Copyright Act, whose Section 1201 established a ban on tampering with "access controls for copyrighted works" (also known as "Digital Rights Management" or "DRM"). It doesn't matter if you want to do something absolutely legitimate, something that there is no law against -- if you have to bypass DRM to do it, it's not allowed.&#13;</p>
<p>What's more, if someone wants to provide you with a tool to get around the DRM, they could face up to five years in prison and a $500,000 fine, for a first offense, even if the tool is only ever used to accomplish legal, legitimate ends.&#13;</p>
<p>Which brings us back to EFF's lawyers, sweating over their briefs every three years. The US Copyright Office holds proceedings every three years to determine whether it should recommend that the Librarian of Congress grant some limited exemptions to this onerous rule. Every three years, EFF begs for -- and wins -- some of these exemptions, by explaining how something people <em>used</em> to be able to do has been shut down by DMCA 1201 and the DRM it supports.&#13;</p>
<p>But you know what we <em>don't</em> get to do? We don't get to ask for the right to break DRM to do things that no one has ever thought of -- at least, that they haven't thought of <em>yet</em>. We don't get to brief the Copyright Office on the harms to companies that haven't been founded yet, the gadgets they haven't designed yet, and the users they haven't attracted yet. Only the past gets a seat at the table: the future isn't welcome.&#13;</p>
<p>That's a big problem. Many of the tools and technologies we love today were once transgressive absurdities: mocked for being useless and decried as immoral or even criminal. The absurd transgressors found ways to use existing techologies and products to build new businesses, over the howls of objections from the people who'd come before them.&#13;</p>
<p>It's a long and honorable tradition, and without it, we wouldn't have <a href="https://www.eff.org/deeplinks/2016/04/save-comcast">cable TV</a> (reviled as thieves by the broadcasters in their early days); <a href="https://www.eff.org/deeplinks/2016/04/save-netflix">Netflix</a> (called crooks by the Hollywood studios for mailing DVDs around in red envelopes); or <a href="https://www.eff.org/deeplinks/2016/04/save-itunes">iTunes</a> ("Rip, Mix, Burn" was damned as a call to piracy by the record industry).&#13;</p>
<p>These businesses exist because they did something that <em>wasn't</em> customary, something rude and disorderly and controversial -- they did things that were legal, but unsanctioned by the businesses they were doing those things <em>to</em>.&#13;</p>
<p>And today, as these businesses have reached maturity, the so-called pirates have become admirals. Today, these former disruptors also use DRM and are glad that bypassing their DRM to do something legal is banned (because their shareholders prefer it that way).&#13;</p>
<p>Those companies aren't doing themselves any favors, either. Even as Apple was asking the Copyright Office to ban third-party modifications to the iPhone, it was <a href="https://motherboard.vice.com/en_us/article/8xa4ka/iphone-jailbreak-life-death-legacy">copying these unauthorized innovations</a> and including them in the official versions of its products.&#13;</p>
<p>Our <a href="http://eff.org/missing-devices">Catalog of Missing Devices </a>gives you a sense of what we've lost because DMCA 1201 has given the companies that succeeded last year the right to decide who can compete with them in the years to come.&#13;</p>
<p>It's a year that's divisible by three, and that means that <a href="https://www.eff.org/cases/2018-dmca-rulemaking">EFF is back at the Copyright Office</a>, pleading for the right of the past to go on in the present -- but we <em>can't</em> ask the Copyright Office to protect the future, the DMCA doesn't allow it.&#13;</p>
<p>That's why <a href="https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-section-1201-research-and-technology-restrictions-violate">we've sued the US Government to invalidate Section 1201 of the DMCA</a>: Congress made a terrible blunder in 1998 when it created that law, and the effects of that blunder mount with each passing year. We need to correct it -- and the sooner, the better.</p>
</div></div></div>Wed, 21 Feb 2018 17:33:05 +000098142 at https://www.eff.orgCommentaryDRMDMCA RulemakingCory DoctorowThe Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigationhttps://www.eff.org/deeplinks/2018/02/malicious-use-artificial-intelligence-forecasting-prevention-and-mitigation
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>In the coming decades, artificial intelligence (AI) and machine learning technologies are going to transform many aspects of our world. Much of this change will be positive; the potential for benefits in areas as diverse as health, transportation and urban planning, art, science, and cross-cultural understanding are enormous. We've already seen things go <a href="https://www.propublica.org/article/machine-bias-risk-assessments-in-criminal-sentencing">horribly</a> <a href="https://www.propublica.org/article/minority-neighborhoods-higher-car-insurance-premiums-white-areas-same-risk">wrong</a> with simple machine learning systems; but <a href="/ai/metrics">increasingly sophisticated AI</a> will usher in a world that is strange and different from the one we're used to, and there are serious risks if this technology is used for the wrong ends.&#13;</p>
<p>Today EFF is co-releasing a report with a number of academic and civil society organizations<a class="see-footnote" id="footnoteref1_byqz652" title="Other institutions releasing the report include the Universities of Cambridge and Oxford, the Center for the Study of Existential Risk, the Future of Humanity Institute, OpenAI, and the Center for a New American Security." href="#footnote1_byqz652">1</a> on the risks from malicious uses of AI and the steps that should be taken to mitigate them in advance.&#13;</p>
<p>At EFF, one area of particular concern has been the potential interactions between computer insecurity and AI. At present, computers are inherently insecure, and this makes them a poor platform for deploying important, high-stakes machine learning systems. It's also the case that AI might have <a href="https://www.eff.org/deeplinks/2016/08/darpa-cgc-safety-protocol">implications for computer [in]security</a> that we need to think about carefully in advance. The report looks closely at these questions, as well as the implications of AI for physical and political security. You can read the full document <a href="/files/2018/02/20/malicious_ai_report_final.pdf">here</a>.</p>
<ul class="footnotes"><li class="footnote" id="footnote1_byqz652"><a class="footnote-label" href="#footnoteref1_byqz652">1.</a> Other institutions releasing the report include the Universities of Cambridge and Oxford, the <a href="https://www.cser.ac.uk/">Center for the Study of Existential Risk</a>, the <a href="https://www.fhi.ox.ac.uk/">Future of Humanity Institute</a>, <a href="https://openai.org">OpenAI</a>, and the <a href="https://www.cnas.org">Center for a New American Security</a>.</li>
</ul></div></div></div>Wed, 21 Feb 2018 00:30:36 +000098163 at https://www.eff.orgAnnouncementArtificial Intelligence & Machine LearningSecurityPeter EckersleyDid Congress Really Expect Us to Whittle Our Own Personal Jailbreaking Tools?https://www.eff.org/deeplinks/2018/02/did-congress-really-expect-us-whittle-our-own-personal-jailbreaking-tools
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>In 1998, Congress passed the Digital Millennium Copyright Act (DMCA), and profoundly changed the relationship of Americans to their property.&#13;</p>
<p>Section 1201 of the DMCA bans the bypassing of "access controls" for copyrighted works. Originally, this meant that even though you owned your DVD player, and even though it was legal to bring DVDs home with you from your European holidays, you weren't allowed to change your DVD player so that it would play those out-of-region DVDs. DVDs were copyrighted works, the region-checking code was an access control, and so even though you owned the DVD, and you owned the DVD player, and even though you were allowed to watch the disc, you weren't allowed to modify your DVD player to play your DVD (which you were allowed to watch).&#13;</p>
<p>Experts were really worried about this: law professors, technologists and security experts saw that soon we'd have software—that is, copyrighted works—in all kinds of devices, from cars to printer cartridges to voting machines to medical implants to thermostats. If Congress banned tinkering with the software in the things you owned, it would tempt companies to use that software to create "private laws" that took away your rights to use your property in the way you saw fit. For example, it's legal to use third party ink in your HP printer, but once HP <a href="https://www.eff.org/deeplinks/2016/09/what-hp-must-do-make-amends-its-self-destructing-printers">changed its printers</a> to reject third-party ink, they could argue that anything you did to change them back was a violation of the DMCA.&#13;</p>
<p>Congress's compromise was to order the Library of Congress and the Copyright Office to hold hearings every three years, in which the public would be allowed to complain about ways in which these locks got in the way of their legitimate activities. Corporations weigh in about why their business interests outweigh your freedom to use your property for legitimate ends, and then the regulators deliberate and create some temporary exemptions, giving the public back the right to use their property in legal ways, even if the manufacturers of their property don't like it.&#13;</p>
<p>If it sounds weird that you have to ask the Copyright Office for permission to use your property, strap in, we're just getting started.&#13;</p>
<p>Here's where it gets <em>weird</em>: DMCA 1201 allows the Copyright Office to grant "use" exemptions, but not "tools" exemptions. That means that if the Copyright Office likes your proposal, they can give you permission to jailbreak your gadgets to make some use (say, install third-party apps on your phone, or record clips from your DVDs to use in film studies classes), but they <em>can't</em> give anyone the right to give you the tool needed to <em>make that use</em> (law professor and EFF board member Pam Samuelson <a href="http://people.ischool.berkeley.edu/~pam/papers/Samuelson.pdf">argues that the Copyright Office can go farther than this</a>, at least some of the time, but the Copyright Office disagrees).&#13;</p>
<p>Apparently, fans of DMCA 1201 believe that the process for getting permission to use your own stuff should go like this:&#13;</p>
<p>1. A corporation sells you a gadget that disallows some activity, or they push a software update to a gadget you already own to take away a feature it used to have;&#13;</p>
<p>2. You and your lawyers wait up to three years, then you write to the Copyright Office explaining why you think this is unfair;&#13;</p>
<p>3. The corporation that made your gadget tells the Copyright Office that <a href="https://www.copyright.gov/1201/2015/comments-032715/class%2022/John_Deere_Class22_1201_2014.pdf">you're a whiny baby who should just shut up and take it;</a>&#13;</p>
<p>4. You write back to the Copyright Office to defend your use;&#13;</p>
<p>5. Months later, the Library of Congress gives you a limited permission to use your property (maybe);&#13;</p>
<p><em>And then...</em>&#13;</p>
<p>6. You get a degree in computer science, and subject your gadget to close scrutiny to find a flaw in the manufacturer's programming;&#13;</p>
<p>7. Without using code or technical information from anyone else (including other owners of the same gadget) you figure out how to exploit that flaw to let you use your device in the way the government just said you could;&#13;</p>
<p>8. Three years later, you do it again.&#13;</p>
<p>Now, in practice, that's not how it works. In practice, people who want to use their own property in ways that the Copyright Office approves of just go digging around on offshore websites, looking for software that lets them make that use. (For example, farmers <a href="https://youtu.be/F8JCh0owT4w">download alternative software for their John Deere tractors</a> from websites they think might be maintained by Ukrainian hackers, though no one is really sure). If that software bricks their device, or steals their personal information, they have no remedy, no warranty, and no one to sue for cheating them.&#13;</p>
<p>That's the <em>best case</em>.&#13;</p>
<p>But often, the Library of Congress makes it even <em>harder</em> to make the uses they're approving. In 2015, they <a href="https://copyright.gov/1201/2015/fedreg-publicinspectionFR.pdf">granted car owners permission to jailbreak their cars</a> in order to repair them—but they didn't give <em>mechanics</em> the right to jailbreak the cars they were fixing. That ruling means that you, personally, can fix your car, provided that 1) you know how to fix a car; and 2) you can personally jailbreak the manufacturer's car firmware (in addition to abiding by the other snares in the final exemption language).&#13;</p>
<p>In other cases, the Copyright Office limits the term of the exemption as well as the scope: in the 2015 ruling, the Copyright Office gave security researchers the right to jailbreak systems to find out whether they were secure enough to be trusted, but not industrial systems (whose security is very important and certainly needs to be independently verified by those systems' owners!) and they also delayed the exemption's start for a full year, meaning that security researchers would only get two years to do their jobs before they'd have to go back to the Copyright Office and start all over again.&#13;</p>
<p>This is absurd.&#13;</p>
<p>Congress crafted the exemptions process to create an escape valve on the powerful tool it was giving to manufacturers with DMCA 1201. But even computer scientists don't hand-whittle their own software tools for every activity: like everyone else, they rely on specialized toolsmiths who make software and hardware that is tested, warranted, and maintained by dedicated groups, companies and individuals. The idea that every device in your home will have software that limits your use, and you can only get those uses back by first begging an administrative agency and then gnawing the necessary implement to make that use out of the lumber of your personal computing environment is purely absurd.&#13;</p>
<p>The Copyright Office is in the middle of a new rulemaking, and <a href="https://www.eff.org/press/releases/eff-asks-copyright-office-improve-exemptions-digital-millennium-copyright-act">we've sent in requests for several important exemptions</a>, but we're not kidding ourselves here: as important as it is to get the US government to officially acknowledge that DMCA 1201 locks up legitimate activities, and to protect end users, without the right to avail yourself of tools, the exemptions don't solve the whole problem.&#13;</p>
<p>That's why we're <a href="https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-section-1201-research-and-technology-restrictions-violate">suing the US government to invalidate DMCA 1201</a>. DMCA 1201 wasn't fit for purpose in 1998, and it has shown its age and contradictions more with each passing year.</p>
</div></div></div>Tue, 20 Feb 2018 19:46:09 +000098117 at https://www.eff.orgCommentaryDRMDMCA RulemakingCory Doctorow"FREE from Chains!": Eskinder Nega is Released from Jailhttps://www.eff.org/deeplinks/2018/02/free-chains-eskinder-nega-released-jail
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><a href="https://www.eff.org/offline/eskinder-nega">Eskinder Nega</a>, one of Ethiopia's most prominent online writers, winner of the <a href="http://www.wan-ifra.org/press-releases/2014/06/09/2014-golden-pen-of-freedom-awarded-to-eskinder-nega-of-ethiopia">Golden Pen of Freedom</a> in 2014, the International Press Institute's <a href="https://ipi.media/ethiopias-eskinder-nega-named-ipi-press-freedom-hero/">World Press Freedom Hero</a> for 2017, and PEN International's 2012 <a href="http://www.nytimes.com/2012/05/03/world/africa/eskinder-nega-ethiopian-journalist-honored-by-pen.html">Freedom to Write</a> Award, has been finally set free.&#13;</p>
<p></p><div class="caption caption-center"><div class="caption-width-container"><div class="caption-inner"><img src="/files/2018/02/16/eskinder-befakadu.jpg" alt="" title="" width="1080" height="607" /><p class="caption-text">Eskinder is greeted by well-wishers on his release. Picture by Befekadu Hailu</p></div></div></div>&#13;
<p>Eskinder has been detained in Ethiopian jails since September 2011. He was accused and convicted of violating the country's Anti-Terrorism Proclamation, primarily by virtue of his warnings in online articles that if Ethiopia's government continued on its authoritarian path, it might face an Arab Spring-like revolt.&#13;</p>
<p>Ethiopia's leaders refused to listen to Eskinder's message. Instead they decided the solution was to silence its messenger. Now, within the last few months, that refusal to engage with the challenges of democracy has led to the inevitable result. For two years, <a href="http://www.bbc.com/news/world-africa-36940906">protests against the government</a> have risen in frequency and size. A new Prime Minister, Hailemariam Desalegn, sought to reduce tensions by introducing reforms and releasing political prisoners like Eskinder. Despite thousands of prisoner releases, and the closure of one of the country's more notorious detention facilities, the protests continue. A day after Eskinder's release, Desalegn was <a href="https://www.theguardian.com/world/2018/feb/15/ethiopia-prime-minister-hailemariam-desalegn-resigns-after-mass-protests">forced to resign</a> from his position. A day later, and the government has declared <a href="https://www.theguardian.com/world/2018/feb/16/state-of-emergency-declared-in-ethiopia-amid-political-unrest">a new state of emergency</a>.&#13;</p>
<p>Even as it comes face-to-face with the consequences of suppressing critics like Eskinder, the Ethiopian authorities pushed back against the truth. Eskinder's release was delayed for days, after prison officials <a href="https://www.eff.org/deeplinks/2018/02/imprisoned-blogger-eskinder-nega-wont-sign-false-confession">repeatedly demanded that Eskinder sign a confession</a> that falsely claimed he was a member of Ginbot 7, an opposition party that is banned as a terrorist organization within Ethiopia.&#13;</p>
<p>Eventually, following widespread international and domestic pressure, Eskinder was released without concession.&#13;</p>
<p>Eskinder, who was in jail for <a href="https://www.eff.org/offline/eskinder-nega">nearly seven years</a>, joins a world whose politics and society have been transformed since his arrest. His predictions about the troubles Ethiopia would face if it silenced free expression may have come true, but his views were not perfect. He was, and will be again, an online writer, not a prophet. The promise of the Arab Spring that he identified has descended into its own authoritarian crackdowns. The technological tools he used to bypass Ethiopia's censorship and speak to a wider public are now just as often <a href="https://www.eff.org/the-story-of-wael-abbas">used by dictators to silence them</a>. But that means we need more speakers like Eskinder, not fewer. And those speakers should be carefully listened to, not forced into imprisonment and exile.</p>
</div></div></div>Sat, 17 Feb 2018 01:13:25 +000098160 at https://www.eff.orgAnnouncementOffline : Imprisoned Bloggers and TechnologistsDanny O&#039;BrienNew National Academy of Sciences Report on Encryption Asks the Wrong Questionshttps://www.eff.org/deeplinks/2018/02/new-national-academy-sciences-report-encryption-asks-wrong-questions
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>The National Academy of Sciences (NAS) released a </span><a href="https://www.nap.edu/read/25010/chapter/1"><span>much-anticipated report</span></a><span> yesterday that attempts to influence the encryption debate by proposing a “framework for decisionmakers.” At best, the report is unhelpful. At worst, its framing makes the task of defending encryption harder.</span>&#13;</p>
<p><span>The report collapses the question of </span><i><span>whether</span></i><span> the government should mandate “</span><a href="https://www.eff.org/deeplinks/2015/08/deep-dive-crypto-exceptional-access-mandates-effective-or-constitutional-pick-one"><span>exceptional access</span></a><span>” to the contents of encrypted communications with </span><i><span>how </span></i><span>the government could accomplish this mandate. We wish the report gave as much weight to the benefits of encryption and risks that exceptional access poses to everyone’s civil liberties as it does to the needs—real and professed—of law enforcement and the intelligence community.</span>&#13;</p>
<p><span>From its outset two years ago, the NAS encryption study was not intended to reach any conclusions about the wisdom of exceptional access, but instead to “provide an authoritative analysis of options and trade-offs.” This would seem to be a fitting task for the National Academy of Sciences, which is a non-profit, non-governmental organization, chartered by Congress to </span><a href="http://nasonline.org/"><span>provide</span></a><span> “objective, science-based advice on critical issues affecting the nation.” The committee that authored the report included well-respected cryptographers and technologists, lawyers, members of law enforcement, and representatives from the tech industry. It also held two public meetings and solicited input from a range of outside stakeholders, EFF among them.</span>&#13;</p>
<p><span>EFF’s Seth Schoen and Andrew Crocker presented at the committee’s meeting at Stanford University in January 2017. We described what we saw as “three truths” about the encryption debate: First, there is no substitute for “strong” encryption, i.e. encryption without any intentionally included method for any party (other than the intended recipient/device holder) to access plaintext to allow decryption on demand by the government. Second, an exceptional access mandate will help law enforcement and intelligence investigations in certain cases. Third, “strong” encryption cannot be successfully fully outlawed, given its proliferation, the fact that a large proportion of encryption systems are open-source, and the fact that U.S. law has limited reach on the global stage. We wish the report had made a concerted attempt to grapple with that first truth, instead of confining its analysis to the second and third.</span>&#13;</p>
<p><span>We recognize that the NAS report was undertaken in good faith, but the trouble with the final product is twofold. </span>&#13;</p>
<p><span>First, its framing is hopelessly slanted. Not only does the report studiously avoid taking a position on whether compromising encryption is a good idea, its “options and tradeoffs” are all centered around the stated government need of “ensuring access to plaintext.” To that end, the report examines four possible options: (1) taking no legislative action, (2) providing additional support for government hacking and other workarounds, (3) a legislative mandate that providers provide government access to plaintext, and (4) mandating a particular technical method for providing access to plaintext. </span>&#13;</p>
<p class="pull-quote"><span>EFF raised concerns that encryption does not just support free expression, it </span><i><span>is </span></i><span>free expression.</span></p>
<p><span>But all of these options, including “no legislative action,” treat government agencies’ stated need to access to plaintext as the only goal worth study, with everything else as a tradeoff. For example, </span><span>from EFF’s perspective, the</span><a href="https://www.eff.org/deeplinks/2014/10/even-golden-key-can-be-stolen-thieves-simple-facts-apples-encryption-decision"><span> adoption of encryption by default</span></a><span> is </span><a href="https://www.eff.org/deeplinks/2017/01/new-video-encrypting-web"><span>one of the most positive developments</span></a><span> in technology policy in recent years because it permits regular people to keep their data confidential from eavesdroppers, thieves, abusers, criminals, and repressive regimes around the world. By contrast, because of its framing, the report discusses these developments purely in terms of criminals “who may unknowingly benefit from default settings” and thereby evade law enforcement.</span>&#13;</p>
<p><span>By approaching the question only as one of how to deliver plaintext to law enforcement, rather than approaching the debate more holistically, the NAS does us a disservice.</span> <span>The question of whether encryption should or shouldn’t be compromised for “exceptional access” should not be treated as one of several in the encryption debate: it is </span><i><span>the </span></i><span>question. </span>&#13;</p>
<p><span>Second, although it attempts to recognize the downsides of exceptional access, the report’s discussion of the possible risks to civil liberties is notably brief. In the span of only three pages (out of nearly a hundred), it acknowledges the importance of encryption to supporting values such as privacy and free expression. Unlike the interests of law enforcement, which are represented in every section, the report discusses the risks to civil liberties posed by exceptional access as just one more tradeoff, and addresses them as a stand-alone concern. </span>&#13;</p>
<p><span>To emphasize the report’s focus, the civil liberties section ends with the observation that criminals and terrorists use encryption to “take actions that negatively impact the security of law-abiding individuals.” This ignores the possibility that encryption can both enhance civil liberties and preserve individual safety. That’s why, for example, experts on domestic violence </span><a href="http://techsafety.org/blog/2016/4/12/smartphone-encryption-protecting-victim-privacy-while-holding-offenders-accountable%20;"><span>argue</span></a><span> that smartphone encryption protects victims from their abusers, and that law enforcement should not seek to compromise smartphone encryption in order to prosecute these crimes. </span>&#13;</p>
<p><span>Furthermore, the simple act of mandating that providers break encryption in their products is itself a significant civil liberties concern, totally apart from privacy and security implications that would result. Specifically, EFF raised concerns that encryption does not just support free expression, it </span><i><span>is </span></i><span>free expression. Notably absent is any examination of the rights of developers of cryptographic software, particularly given the role played by free and open source software in the encryption ecosystem. It ignores the </span><a href="https://www.eff.org/deeplinks/2015/04/remembering-case-established-code-speech"><span>legal landscape in the United States</span></a><span>—one that strongly protects the principle that code (including encryption) is speech, protected by the First Amendment. </span>&#13;</p>
<p><span>The report also underplays the international implications of any U.S. government mandate for U.S.-based providers. Currently, companies resist demands for plaintext from regimes whose respect for the rule of law is dubious, but that will almost certainly change if they accede to similar demands from U.S. agencies. In a massive understatement, the report notes that this could have “global implications for human rights.” We wish that the NAS had given this crucial issue far more emphasis and delved more deeply into the question, for instance, of how Apple could plausibly say no to a Chinese demand to wiretap a Chinese user’s FaceTime conversations while providing that same capacity to the FBI.</span>&#13;</p>
<p><span>In any tech policy debate, expert advice is valuable not only to inform </span><i><span>how</span></i><span> to implement a particular policy but </span><i><span>whether</span></i><span> to undertake that policy in the first place. The NAS might believe that as the provider of “objective, science-based advice,” it isn’t equipped to weigh in on this sort of question. We disagree.</span></p>
</div></div></div>Fri, 16 Feb 2018 21:04:08 +000098154 at https://www.eff.orgSecurityAndrew CrockerNate CardozoEFF and MuckRock Are Filing a Thousand Public Records Requests About ALPR Data Sharing https://www.eff.org/deeplinks/2018/02/eff-and-muckrock-are-filing-thousand-public-records-requests-alpr-data-sharing
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>EFF and MuckRock have a launched a new public records campaign to reveal how much data law enforcement agencies have collected using automated license plate readers (ALPRs) and are sharing with each other.&#13;</p>
<p>Over the next few weeks, the two organizations are filing approximately 1,000 public records requests with agencies that have deals with Vigilant Solutions, one of the nation’s largest vendors of ALPR surveillance technology and software services. We’re seeking documentation showing who’s sharing ALPR data with whom. We are also requesting information on how many plates each agency scanned in 2016 and 2017 and how many of those plates were on predetermined “hot lists” of vehicles suspected of being connected to crimes.&#13;</p>
<p>You can see the full list of agencies and track the progress of each request through the <a href="https://www.muckrock.com/project/street-level-surveillance-alpr-campaign-210/">Street-Level Surveillance: ALPR Campaign</a> page on MuckRock.&#13;</p>
<h3>As Easy As Adding a Friend on Facebook</h3>
<p>“Joining the largest law enforcement LPR sharing network is as easy as adding a friend on your favorite social media platform.”&#13;</p>
<p>That’s a direct quote from Vigilant Solutions in its promotional materials for its ALPR technology. Through its LEARN system, Vigilant Solutions has made it possible for government agencies—particularly sheriff’s offices and police departments—to grant 24-7, unrestricted database access to hundreds of other agencies around the country.&#13;</p>
<p><a href="https://www.eff.org/pages/automated-license-plate-readers-alpr">ALPRs are camera systems</a> that scan every license plate that passes in order to create enormous databases of where people drive and park their cars both historically and in real time. Collected en masse by ALPRs mounted on roadways and vehicles, this data can reveal sensitive information about people, such as where they work, socialize, worship, shop, sleep at night, and seek medical care or other services. ALPR allows your license plate to be used as a tracking beacon and a way to map your social networks.&#13;</p>
<p>Here’s the question: who is on your local police department’s and sheriff office’s ALPR friend lists?&#13;</p>
<p>Perhaps you live in a “sanctuary city.” There’s <a href="https://www.eff.org/deeplinks/2018/01/ice-accesses-massive-amount-license-plate-data-will-california-take-action">a very real chance</a> local police are sharing ALPR data with Immigration &amp; Customs Enforcement, Customs &amp; Border Patrol, or one of their subdivisions.&#13;</p>
<p>Perhaps you live thousands of miles from the South. You’d be surprised to learn that scores of small towns in rural Georgia have round-the-clock access to your ALPR data. This includes towns like Meigs, which serves a population of 1,000 and did not even have <a href="http://www.timesenterprise.com/news/ga_fl_news/new-meigs-police-officers-off-to-good-start/article_806229fa-b820-11e7-ae75-130442559664.html">full-time police officers</a> until last fall.&#13;</p>
<p>In 2017, EFF and the <a href="https://www.cehrp.org/">Center for Human Rights and Privacy</a> filed records requests with several dozen law enforcement agencies in California. We found that police departments were routinely sharing ALPR data with a wide variety of agencies that may be difficult to justify. Police often shared with the DEA, FBI, and U.S. Marshals—but they also shared with federal agencies with a less clear interest, such as the U.S. Forest Service, the U.S. Department of Veteran Affairs, and the Air Force base at Fort Eustis. California agencies were also sharing with public universities on the East Coast, airports in Tennessee and Texas, and agencies that manage public assistance programs, like food stamps and indigent health care. In some cases, the records indicate the agencies were sharing with private actors.&#13;</p>
<p>Meanwhile, most agencies are connected to an additional network called the National Vehicle Locator System (NVLS), which shares sensitive information with more than 500 government agencies, the identities of which have never been publicly disclosed.&#13;</p>
<p>Here are the data sharing documents we obtained in 2017, which we are seeking to update with our new series of requests.&#13;</p>
<ul><li><a href="https://www.documentcloud.org/documents/4312397-Data-Sharing-Report-Anaheim-Police-Department.html">Anaheim Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312395-Data-Sharing-Report-Antioch-Police-Department.html">Antioch Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312398-Data-Sharing-Report-Bakersfield-Police-Department.html">Bakersfield Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312396-Data-Sharing-Report-Chino-Police-Department.html">Chino Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312404-Data-Sharing-Report-Clovis-Police-Department.html">Clovis Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312403-Data-Sharing-Report-Elk-Grove-Police-Department.html">Elk Grove Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312415-Data-Sharing-Report-Fontana-Police-Department.html">Fontana Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312408-Data-Sharing-Report-Fountain-Valley-Police.html">Fountain Valley Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312411-Data-Sharing-Report-Glendora-Police-Department.html">Glendora Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312410-Data-Sharing-Report-Hawthorne-Police-Department.html">Hawthorne Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312405-Data-Sharing-Report-Irvine-Police-Department.html">Irvine Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312409-Data-Sharing-Report-Livermore-Police-Department.html">Livermore Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312414-Data-Sharing-Report-Lodi-Police-Department.html">Lodi Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312400-Data-Sharing-Report-Long-Beach-Police-Department.html">Long Beach Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312419-Data-Sharing-Report-Montebello-Police-Department.html">Montebello Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312421-Data-Sharing-Report-Orange-Police-Department.html">Orange Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312417-Data-Sharing-Report-Palos-Verdes-Estates-Police.html">Palos Verdes Estates Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312413-Data-Sharing-Report-Red-Bluff-Police-Department.html">Red Bluff Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312416-Data-Sharing-Report-Sacramento-Police-Department.html">Sacramento Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312407-Data-Sharing-Report-San-Bernardino-Police.html">San Bernardino Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312420-Data-Sharing-Report-San-Diego-Police-Department.html">San Diego Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312418-Data-Sharing-Report-San-Rafael-Police-Department.html">San Rafael Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312402-Data-Sharing-Report-San-Ramon-Police-Department.html">San Ramon Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312399-Data-Sharing-Report-Simi-Valley-Police.html">Simi Valley Police Department</a></li>
<li><a href="https://www.documentcloud.org/documents/4312412-Data-Sharing-Report-Tulare-Police-Department.html">Tulare Police Department</a></li>
</ul><p>We hope to create a detailed snapshot of the ALPR mass surveillance network linking law enforcement and other government agencies nationwide. Currently, the only entity that has the definitive list is Vigilant Solutions, which, as a private company, is not subject to state or federal public record disclosure laws. So far, the company has not volunteered this information, despite reaping many millions in tax dollars.&#13;</p>
<p>Until they do, <a href="https://www.muckrock.com/project/street-level-surveillance-alpr-campaign-210/">we’ll keep filing requests.</a>&#13;</p>
<p><em>For more information on ALPRs, visit <a href="https://www.eff.org/pages/automated-license-plate-readers-alpr">EFF’s Street-Level Surveillance hub</a>.</em></p>
</div></div></div>Fri, 16 Feb 2018 18:28:43 +000098151 at https://www.eff.orgStreet-Level SurveillanceDave MaassFederal Judge Says Embedding a Tweet Can Be Copyright Infringementhttps://www.eff.org/deeplinks/2018/02/federal-judge-says-embedding-tweet-can-be-copyright-infringement
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Rejecting <a href="https://www.eff.org/deeplinks/2007/05/p10-v-google-public-interest-prevails-digital-copyright-showdown">years of settled precedent</a>, a federal court in New York has ruled [<a href="https://www.eff.org/files/2018/02/15/goldman_v_breitbart_-_opinion.pdf">PDF</a>] that you could infringe copyright simply by embedding a tweet in a web page. Even worse, the logic of the ruling applies to all in-line linking, not just embedding tweets. If adopted by other courts, this legally and technically misguided decision would <a href="https://www.eff.org/deeplinks/2017/10/what-if-you-had-worry-about-lawsuit-every-time-you-linked-image-online">threaten millions of ordinary Internet users</a> with infringement liability.&#13;</p>
<p>This case began when Justin Goldman accused online publications, including Breitbart, Time, Yahoo, Vox Media, and the Boston Globe, of copyright infringement for publishing articles that linked to a photo of NFL star Tom Brady. Goldman took the photo, someone else tweeted it, and the news organizations embedded a link to the tweet in their coverage (the photo was newsworthy because it showed Brady in the Hamptons while the Celtics were <a href="https://media.giphy.com/media/l3q2wAsJ71oq4MT0A/giphy.gif">trying</a> to recruit Kevin Durant). Goldman said those stories infringe his copyright.&#13;</p>
<p>Courts have long held that copyright liability rests with the entity that hosts the infringing content—not someone who simply links to it. The linker generally has no idea that it’s infringing, and isn’t ultimately in control of what content the server will provide when a browser contacts it. This “server test,” originally from a <a href="https://www.eff.org/cases/perfect-10-v-google">2007 Ninth Circuit case</a> called <a href="https://www.eff.org/document/perfect-10-v-google-ninth-circuit-opinion-amended"><em>Perfect 10 v. Amazon</em></a>, provides a clear and easy-to-administer rule. It has been a foundation of the modern Internet.&#13;</p>
<p>Judge Katherine Forrest rejected the Ninth Circuit’s server test, based in part on a surprising approach to the process of embedding. The opinion describes the simple process of embedding a tweet or image—something done every day by millions of ordinary Internet users—as if it were a highly technical process done by “coders.” That process, she concluded, put publishers, not servers, in the drivers’ seat:&#13;</p>
<blockquote><p>[W]hen defendants caused the embedded Tweets to appear on their websites, their actions violated plaintiff’s exclusive display right; the fact that the image was hosted on a server owned and operated by an unrelated third party (Twitter) does not shield them from this result.</p>
</blockquote>
<p>She also argued that <em>Perfect 10</em> (which concerned Google’s image search) could be distinguished because in that case the “user made an active choice to click on an image before it was displayed.” But that was not a detail that the Ninth Circuit relied on in reaching its decision. The Ninth Circuit’s rule—which looks at who actually <em>stores</em> and <em>serves</em> the images for display—is far more sensible.&#13;</p>
<p>If this ruling is appealed (there would likely need to be further proceedings in the district court first), the Second Circuit will be asked to consider whether to follow <em>Perfect 10 </em>or Judge Forrest’s new rule. We hope that today’s ruling does not stand. If it did, it would threaten the ubiquitous practice of in-line linking that benefits millions of Internet users every day.</p>
</div></div></div><div class="field field--name-field-related-cases field--type-node-reference field--label-above"><div class="field__label">Related Cases:&nbsp;</div><div class="field__items"><div class="field__item even"><a href="/cases/perfect-10-v-google">Perfect 10 v. Google</a></div></div></div>Fri, 16 Feb 2018 02:12:13 +000098147 at https://www.eff.orgCreativity & InnovationCopyright TrollsFair UseDaniel NazerThe False Teeth of Chrome's Ad Filterhttps://www.eff.org/deeplinks/2018/02/chromes-ad-filter-much-ado-about-nothing
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p id="magicdomid4850" class="ace-line"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">Today Google launched a new version of its Chrome browser with what they call an </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">ad filter</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"—</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">which means that it sometimes blocks ads but is not an </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">ad blocker</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">."</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">EFF welcomes the elimination of the worst ad formats. But Google's approach here is a band-aid response to the crisis of trust in advertising that leaves massive user privacy issues unaddressed. </span></p>
<p id="magicdomid4815" class="ace-line"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">Last year</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">,</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> a new industry organization, the Coalition for Better Ads, published user</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu"> </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">research investigating ad formats responsible for </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><a href="https://www.betterads.org/standards/"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">bad ad experiences</span></a><span class="author-a-qadz79znz71zmxpz85ze46sq2">."</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv url"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">The Coalition examined </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">55 </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">ad </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">formats, of which 12 were deemed unacceptable. These included various full page takeovers (prestitial, postitial, rollover), autoplay videos with sound, pop-ups of all types, and ad density of more than 35% on mobile. Google</span><span class="author-a-qadz79znz71zmxpz85ze46sq2"> is supposed to check sites</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> for the forbidden formats and </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">give offenders</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> 30 days to reform or have </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv i"><i>all</i></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> their ads blocked </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">in</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> Chrome. Censured sites can purge the offending ads and request reexamination. </span></p>
<h3 id="magicdomid6"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv b">The Coalition for Better Ads Lacks a Consumer Voice </span></h3>
<p id="magicdomid4791" class="ace-line"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">The Coalition involves giants such as Google, Facebook, and Microsoft, ad trade organizations, and adtech companies and large advertisers. Criteo, a retargeter with a history of </span></span><a href="https://www.eff.org/deeplinks/2017/12/arms-race-against-trackers-safari-leads-criteo-30">contested user privacy practice</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> is also involved, as is content marketer <a href="https://digiday.com/media/underbelly-internet-fake-news-gets-funded/#sthash.l8aGCm2m.uxfs">Taboola</a></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv url"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">. Consumer and digital rights groups are not represented in the Coalition. </span></p>
<p class="ace-line"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">This industry membership explains the limited horizon of the group, which ignores the non-format factors that annoy and drive users to install content blockers. While people are alienated by aggressive ad formats, the problem has other dimensions. Whether it’s the use of ads as a vector for malware, the consumption of mobile data plans by bloated ads, or the monitoring of user behavior through tracking technologies</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">, </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">users have a lot of reasons to take action and defend themselves.</span></p>
<p id="magicdomid4798" class="ace-line"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">But these elements are ignored. Privacy, in particular, figured neither in the tests commissioned by the Coalition, nor in their </span></span><a href="https://www.betterads.org/research/">three published reports</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> that form the basis for the new standards.</span><span class="author-a-qadz79znz71zmxpz85ze46sq2"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"></span><span class="author-a-qadz79znz71zmxpz85ze46sq2"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">T</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">his is no surprise given that participating companies include the </span></span><a href="https://webtransparency.cs.princeton.edu/webcensus/index.html">four biggest tracking companies</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">: Google, Facebook, Twitter</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">,</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> and AppNexus</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv url"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">. </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"></span></span></p>
<h3 id="magicdomid4802" class="ace-line"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv b"><b>Stopping the </b></span><span class="author-a-qadz79znz71zmxpz85ze46sq2 b"><b>"</b></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv b"><b>Biggest Boycott in History</b></span><span class="author-a-qadz79znz71zmxpz85ze46sq2 b"><b>"</b></span></h3>
<p id="magicdomid4814" class="ace-line">Some commentators <span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">have interpreted ad blocking as the "</span><a href="https://blogs.harvard.edu/doc/2015/09/28/beyond-ad-blocking-the-biggest-boycott-in-human-history/">biggest boycott in history</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">" against the abusive and intrusive nature of online advertising. Now the Coalition aims to slow the adoption of blockers by enacting minimal reforms. Pagefair, an adtech company </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">that</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> monitors adblocker use, estimates </span></span><a href="https://pagefair.com/blog/2017/adblockreport/">600 million active users of blockers</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">. Some see no ads at all, but most users of the two largest blockers, Ad</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">B</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">lock and Adblock</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu"> </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">Plus, see ads </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">whitelisted</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">" </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">under the Acceptable Ads program. These companies leverage their position as gatekeepers to the user's eyeballs, obliging Google to buy back access to the </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">blocked</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> part of their user base through payments under Acceptable Ads. This is expensive (a German newspaper claims a figure as high as </span></span><a href="https://www.welt.de/wall-street-journal/article124441049/Googles-fragwuerdiger-Deal-mit-Adblock-Plus.html">25 million euros</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv url">)</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> and is viewed with disapproval by many advertisers and publishers. </span></p>
<p id="magicdomid4447" class="ace-line"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">Industry actors now understand that adblocking’s momentum is rooted in the industry’s own failures, and the Coalition is a belated response to this. While nominally an exercise in self-regulation, the enf</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">o</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">rcement of the standards through Chrome is a powerful stick. By eliminating the most obnoxious ads, they hope to slow the growth of independent blockers.</span></p>
<h3 id="magicdomid19"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv b"><b>What Difference Will It Make?</b></span></h3>
<p id="magicdomid4834" class="ace-line"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">Coverage of Chrome's new feature has focused on the impact on publishers</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">,</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> and </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">on</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> doubts about the Inter</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">net’s</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> biggest advertising company enforcing ad standards through its</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> dominant browser. Google has sought to mollify publishers by stating that </span></span><a href="//www.axios.com/exclusive-2-publishers-initially-affected-by-chrome-ad-blocker-1517872626-ee000779-1b6e-4d39-ab07-a845545d71c7.html">only 1% of sites tested </a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">have been found non-compliant,</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv url"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> and ha</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">s</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> heralded the changed behavior of major publishers like the <em>LA Times</em> and <em>Forbes</em> as evidence of success. But if so few sites fall below the Coalition's</span><span class="author-a-z79z4dz78zbktz76zvz80zfz68z8z77z9z70z"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> bar, it seems unlikely to be enough to dissuade users from installing a blocker. Eyeo, the company behind Adblock</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu"> </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">Plus, has a lot to lose should this strat</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">eg</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">y be successful</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">. Eyeo </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">argues that <a href="https://adblockplus.org/blog/what-will-google-chrome-s-new-ad-filter-actually-block-we-investigate">Chrome will only </a></span><a href="https://adblockplus.org/blog/what-will-google-chrome-s-new-ad-filter-actually-block-we-investigate"><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">filter</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span></a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><a href="https://adblockplus.org/blog/what-will-google-chrome-s-new-ad-filter-actually-block-we-investigate"> 17% of the 55 ad formats tested</a>, whereas 94% are blocked by A</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">dblock</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">P</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">lus</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">.</span></p>
<h3 id="magicdomid22"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv b">User Protection or Monopoly Power?</span></h3>
<p class="ace-line"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">The marginalization of egregious ad formats is positive, but should we be worried by this display of power by Google? In the past, browser companies such as Opera and Mozilla took the lead in combating nuisances such as pop-ups, which was widely applauded. </span><span class="author-a-z79z4dz78zbktz76zvz80zfz68z8z77z9z70z">T</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">hose browsers were not active in advertising themselves. The sit</span><span class="author-a-z79z4dz78zbktz76zvz80zfz68z8z77z9z70z">u</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">ation is different with Google</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">,</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> the dominant player</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu"> in the ad and browser markets. </span></p>
<p class="ace-line"><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">Google e</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">xploiting its browser </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">dominance </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">to shape the conditions of the advertising market raises some concerns. It is notable that the ads Google places on videos in Youtube (</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">instream pre-roll</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">) were not user-tested and are exempted from the prohibition on </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">auto-play ads with sound</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">."</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> This risk of a conflict of interest distinguishes the Coalition for Better Ads from, for example, Chrome's </span></span><a href="https://safebrowsing.google.com/">monitoring of sites associated with malware</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> and related user protection notifications. </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"></span></p>
<p><span class="author-a-z79z4dz78zbktz76zvz80zfz68z8z77z9z70z">T</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">here is also the risk that </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">Google</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> may change position with regard to third-party extensions that give users more powerful options. Recent history</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> justifies such concern: <a href="https://www.eff.org/deeplinks/2014/08/blocking-consumer-choice-googles-dangerous-ban-privacy-security-app">Disconnect</a></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv url"></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> and </span></span><a href="https://www.fastcompany.com/3068920/google-adnauseam-ad-blocking-war">Ad Nauseam</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> have been excluded from the Chrome Store for alleged violations of the Store’s rules</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">.</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> (</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">Ironically</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">, Adblock</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu"> </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">Plus has never experienced this problem</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">.</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">)</span></p>
<h3 id="magicdomid27"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv b">Chrome Falls Behind on User Privacy<b> </b></span></h3>
<p id="magicdomid4929" class="ace-line"><span class="author-a-qadz79znz71zmxpz85ze46sq2">This move from Google will reduce the frequency with which users run into the most annoying ads. Regardless, it fails to address the larger problem of tracking and privacy violations. Indeed, m</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">any of the Coalition’s members were active opponents of </span><a href="https://www.eff.org/issues/do-not-track">Do Not Track</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> at the W3C, which would have offered privacy</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">-</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">conscious users an easy opt</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">-</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">out</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">.</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">T</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">he </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">resulting </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">impression </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">is </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">that </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">the ad filter</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> is </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">really </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">about </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">the </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">industry trying to sol</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">v</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">e its </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">adblocking </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">problem</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">, not about</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">addressing</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> user</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">s' concerns.</span></p>
<p class="ace-line"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">Chrome</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">,</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> together with Micro</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">s</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">o</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">f</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">t Edge</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">,</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">is now the</span><span class="author-a-z79z4dz78zbktz76zvz80zfz68z8z77z9z70z"> </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">last major browser</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu"> to</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu i"><i>no</i></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv i"><i>t</i></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> offer integrated tracking protection. Firefox introduced this feature last November in </span></span><a href="https://blog.mozilla.org/blog/2018/02/14/a-perspective-firefox-quantum-tracking-protection-gives-users-the-right-to-be-curious/">Quantum</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">, enabled by default in </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">Private Browsing</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">"</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> mode with the option to </span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">enable</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> it universally. Meanwhile</span><span class="author-a-yz68zqz66zz78zx5z75zz67zhz87z3kz82zz80zu">,</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> Apple's Safari browser has </span></span><a href="https://www.eff.org/deeplinks/2017/06/with-new-browser-tech-apple-preserves-privacy-google-preserves-trackers">Intelligent Tracking Prevention</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">, Opera ships with an </span></span><a href="https://blogs.opera.com/desktop/2016/03/native-ad-blocking-feature-opera-for-computers/">ad/tracker blocker</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> </span></span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">for users to activate, and </span></span><a href="https://brave.com/">Brave</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> has user privacy at the ce</span><span class="author-a-qadz79znz71zmxpz85ze46sq2">nter</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> of its design. It is a shame that Chrome's user security and safety team, widely admired in the industry, is empowered only to offer protection against outside attackers, but not against commercial surveillance conducted by Google </span><span class="author-a-qadz79znz71zmxpz85ze46sq2">itself </span><span class="author-a-z79z4dz78zbktz76zvz80zfz68z8z77z9z70z">and </span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">other advertisers. If you are using Chrome (1), you need EFF's </span></span><a href="https://www.eff.org/privacybadger">Privacy Badger </a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv">or </span></span><a href="https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm">uBlock Origin</a><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"> to fill this gap.</span><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"><span class="author-a-ez65zz86zz84z25z79zz79z6rjehz82zuv"></span></span></p>
<p>(1) This article does not address other problematic aspects of Google services. When users sign into Gmail, for example, their activity across other Google products is logged. Worse yet, when users are signed into Chrome their <em>full</em> browser history is stored by Google and <a href="https://twitter.com/masohnry/status/755178336691884032">may be used for ad targeting</a>. This account data can also be <a href="https://www.propublica.org/article/google-has-quietly-dropped-ban-on-personally-identifiable-web-tracking">linked to Doubleclick's cookies</a>. The storage of browser history is part of Sync (enabling users access to their data across devices), which can also be disabled. If users desire to use Sync but exclude the data from use for ad targeting by Google, this can be selected under ‘Web And App Activity’ in <a href="https://myaccount.google.com/activitycontrols/search?utm_source=HelpCenter&amp;utm_medium=websearch&amp;utm_campaign&amp;pli=1">Activity controls</a>. There is an additional opt-out from Ad Personalization in <a href="https://adssettings.google.com/authenticated">Privacy Settings</a>.</p>
</div></div></div>Fri, 16 Feb 2018 02:00:00 +000098127 at https://www.eff.orgPrivacySecurity EducationAlan TonerCustoms and Border Protection's Biometric Data Snooping Goes Too Far https://www.eff.org/deeplinks/2018/02/customs-and-border-protections-biometric-data-snooping-goes-too-far
<div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>The U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) Privacy Office, and Office of Field Operations recently invited privacy stakeholders—including EFF and the ACLU of Northern California—to participate in a briefing and update on how the CBP is implementing its Biometric Entry/Exit Program.&#13;</p>
<p>As we’ve written <a href="https://www.eff.org/issues/biometrics">before</a>, biometrics systems are designed to identify or verify the identity of people by using their intrinsic physical or behavioral characteristics. Because biometric identifiers are by definition unique to an individual person, government collection and storage of this data poses unique threats to privacy and security of individual travelers.&#13;</p>
<p>EFF has many concerns about the government collecting and using biometric identifiers, and specifically, we object to the <a href="https://www.eff.org/deeplinks/2017/08/end-biometric-border-screening">expansion</a> of several DHS programs subjecting Americans and <a href="https://www.eff.org/document/fingerprints-dna-biometric-data-collection-us-immigrant-communities-and-beyond">foreign citizens</a> to facial recognition screening at international <a href="https://fcw.com/articles/2018/01/30/facial-recognition-tsa-rockwell.aspx">airports</a>. EFF appreciated the opportunity to share these concerns directly with CBP officers and we hope to work with CBP to allow travelers to opt-out of the program entirely.&#13;</p>
<p>You can read the full letter we sent to CBP <a href="/document/eff-follow-letter-us-customs-and-border-protection">here</a>.</p>
</div></div></div>Fri, 16 Feb 2018 01:21:06 +000098144 at https://www.eff.orgPolicy AnalysisBiometricsPrivacyIndia McKinney